TS group policy

  • Thread starter Thread starter Chad Wickenheiser
  • Start date Start date
C

Chad Wickenheiser

I have one OU with a Terminal Server in it linked to two different
GPOs.

I want two global groups with each group getting their TSProfile and
Home Folder redirected to different servers. Two GPOs with different
settings are in the same OU, but I find that the last one always
overwrites the first one GPO and there is no segregation like I am
intending.

I've tried setting deny "Apply group policy" permissions to try and
block one of the GPOs from applying to a particular group, but it
always seems to run through both GPOs anyways.

If I remove the Authenticated Users group, none of the policies get
applied.

Can anyone help me figure out how to get this scenario working?

Thanks.
 
Have you tried to replace the "Authenticated users" group (under
Security filtering) with one of the intended groups? One group for
each GPO?
Have you configured both GPOs with loopback processing, with the
"Replace" option?

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

(e-mail address removed) (Chad Wickenheiser) wrote on 18 okt 2004 in
microsoft.public.win2000.termserv.apps:
 
Have you tried to replace the "Authenticated users" group (under
Security filtering) with one of the intended groups? One group for
each GPO?
Click to expand...

Yes, I have tried this already. It seems that if I remove
Authenticated Users from the Security Filtering list that none of the
policies get applied (even after I put in both the intended global
group and actual machine account).

I'd like one group for each GPO, but it looks like filtering is not
working at all (although running GPRESULT as the user seems to say
otherwise).
Have you configured both GPOs with loopback processing, with the
"Replace" option?
Click to expand...

Yes, both GPOs have loopback enabled with Replace, not Merge. If I
use loopback, does the computer account have to be in the same OU as
the GPO imposing loopback? What if there is only one computer
account?

I also tried creating a sub-OU, assigning it a GPO and giving the OU
the Block Inheritance, but the GPO inside the sub doesn't seem to want
to process at all unless it's on the same level as the computer.

(BTW, I have not enabled No Override/Enforced on either GPO.)
260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370
Click to expand...

Read this already..
231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287
Click to expand...

Read this too..

Anything else I can check?
 
Yes, the machine account of the Terminal Server must be in the
same OU as the GPO with the loopback processing is linked to, as
in KB 260370.

I've no idea why this doesn't work for you. I would carefully go
through all the steps described here:

250842 - Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

(e-mail address removed) (Chad Wickenheiser) wrote on 19 okt 2004 in
microsoft.public.win2000.termserv.apps:
 
So I will now have two GPOs in one OU with one server and loopback
processing enabled.

If I want to apply computer settings in one GPO to one group, and
computer settings in another GPO to another group within that same OU,
can this be accomplished using security filtering?

It looks like the GPOs are being processed in order of precedence
irregardless of what I put in the scope and denying the "Apply group
policy" setting to a group.
 
After some further investigation, it appears as though the user
settings are being correctly filtered based on group membership,
however the computer settings on each GPO are not. Is this by design?

Why does security filtering not work on the Computer Configuration
portion of the GPO, but on the User Configuration settings they do get
enforced?
 
That is by design.
Loopback processing means that the user portion of the settings in
the GPO are taken from the GPO that is linked to the OU which
contains the Terminal Servers, and not from the GPO that is linked
to the OU that contains the user accounts, as documented in KB
article 231287.
I thought that this is what you tried to accomplish?

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---

(e-mail address removed) (Chad Wickenheiser) wrote on 22 okt 2004 in
microsoft.public.win2000.termserv.apps:
 
The TS home folder and profile are stored in the Computer
Configuration portion of the GPO.

These are the settings I want filtered based on group - yet I cannot..
only the user configuration settings.

How do I filter the computer settings?
 
Back
Top