No Computer Settings for TS group policy

  • Thread starter Thread starter Noncentz
  • Start date Start date
N

Noncentz

Morning,

I am trying to lockdown the desktop on my terminal servers via a GPO called
Terminal Services Lockdown. I used this guide mainly to get find what I
needed. The gpo is applied to the 2 TS servers as well as a TS user group.
When I log in a testuser I run gpresult and find that my computer settings
are not applying but the user settings are. Any thoughts??

http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html

Also I remember there being a white paper out about GPO on Terminal
services, anyone know of this??

----------------my gpresults from testuser
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 6/4/2008 at 8:22:59 AM



RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode
------------------------------------------------------------

OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise
Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\testuser
Connected over a slow link?: No


USER SETTINGS
--------------
CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local
Last time Group Policy was applied: 6/4/2008 at 8:22:21 AM
Group Policy was applied from:
Group Policy slow link threshold: 500 kbps
Domain Name:
Domain Type: Windows 2000

Applied Group Policy Objects
-----------------------------
McCoy Wireless LAN Policy
Terminal Services Lockdown
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Small Business Server Remote Assistance Policy
Filtering: Disabled (GPO)

Small Business Server Internet Connection Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PreSP2

Small Business Server - Windows Vista policy
Filtering: Denied (WMI Filter)
WMI Filter: Vista

Small Business Server Client Computer
Filtering: Not Applied (Empty)

Small Business Server Domain Password Policy
Filtering: Not Applied (Empty)

Small Business Server Windows Firewall
Filtering: Denied (WMI Filter)
WMI Filter: PostSP2

EnlightenUsers
Filtering: Not Applied (Empty)

Small Business Server Lockout Policy
Filtering: Disabled (GPO)

WSUS Client Policy
Filtering: Denied (Security)

The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Wireless Users
Prophet21_Users
CERTSVC_DCOM_ACCESS
 
Are the TS machine accounts added to the security filtering of the
GPO?

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>
wrote on 05 jun 2008 in
microsoft.public.windows.terminal_services:

> Morning,
>
> I am trying to lockdown the desktop on my terminal servers via a
> GPO called Terminal Services Lockdown. I used this guide mainly
> to get find what I needed. The gpo is applied to the 2 TS
> servers as well as a TS user group. When I log in a testuser I
> run gpresult and find that my computer settings are not applying
> but the user settings are. Any thoughts??
>
> http://www.msterminalservices.org/articles/Managing-Terminal-Serv
> ices-Group-Policy.html
>
> Also I remember there being a white paper out about GPO on
> Terminal services, anyone know of this??
>
> ----------------my gpresults from testuser
> Microsoft (R) Windows (R) Operating System Group Policy Result
> tool v2.0 Copyright (C) Microsoft Corp. 1981-2001
>
> Created On 6/4/2008 at 8:22:59 AM
>
>
>
> RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode
> ------------------------------------------------------------
>
> OS Type: Microsoft(R) Windows(R) Server
> 2003, Enterprise Edition
> OS Configuration: Member Server
> OS Version: 5.2.3790
> Terminal Server Mode: Application Server
> Site Name: N/A
> Roaming Profile:
> Local Profile: C:\Documents and Settings\testuser
> Connected over a slow link?: No
>
>
> USER SETTINGS
> --------------
> CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,
> DC=local Last time Group Policy was applied: 6/4/2008 at
> 8:22:21 AM Group Policy was applied from:
> Group Policy slow link threshold: 500 kbps
> Domain Name:
> Domain Type: Windows 2000
>
> Applied Group Policy Objects
> -----------------------------
> McCoy Wireless LAN Policy
> Terminal Services Lockdown
> Default Domain Policy
> Local Group Policy
>
> The following GPOs were not applied because they were
> filtered out
> -------------------------------------------------------------
> ------
> Small Business Server Remote Assistance Policy
> Filtering: Disabled (GPO)
>
> Small Business Server Internet Connection Firewall
> Filtering: Denied (WMI Filter)
> WMI Filter: PreSP2
>
> Small Business Server - Windows Vista policy
> Filtering: Denied (WMI Filter)
> WMI Filter: Vista
>
> Small Business Server Client Computer
> Filtering: Not Applied (Empty)
>
> Small Business Server Domain Password Policy
> Filtering: Not Applied (Empty)
>
> Small Business Server Windows Firewall
> Filtering: Denied (WMI Filter)
> WMI Filter: PostSP2
>
> EnlightenUsers
> Filtering: Not Applied (Empty)
>
> Small Business Server Lockout Policy
> Filtering: Disabled (GPO)
>
> WSUS Client Policy
> Filtering: Denied (Security)
>
> The user is a part of the following security groups
> ---------------------------------------------------
> Domain Users
> Everyone
> Remote Desktop Users
> BUILTIN\Users
> REMOTE INTERACTIVE LOGON
> NT AUTHORITY\INTERACTIVE
> NT AUTHORITY\Authenticated Users
> This Organization
> LOCAL
> Wireless Users
> Prophet21_Users
> CERTSVC_DCOM_ACCESS
 
Yes, currently I have 2 TS servers in the gpo applying the group policy with
full control. I also have some admin accounts denying the gpo.

When I log in as an administrator I can see the computer settings but not as
a domain user. These are my current settings for the GPO

------------------------------------------------------
Terminal Services Lockdown
Data collected on: 6/6/2008 8:35:14 AM show all

Generalhide
Detailsshow
Domain mccoysales.local
Owner Company1\Domain Admins
Created 6/3/2008 9:36:04 AM
Modified 6/6/2008 8:30:02 AM
User Revisions 1 (AD), 1 (sysvol)
Computer Revisions 26 (AD), 26 (sysvol)
Unique ID {D9873791-6759-4AC3-8D1E-71A6E5129E16}
GPO Status Enabled

Linksshow
Location Enforced Link Status Path
Company1 Yes Enabled Company1.local

This list only includes links in the domain of the GPO.
Security Filteringshow
The settings in this GPO can only apply to the following groups, users, and
computers:Name
MCCOYSALES\Enterprise Admins
MCCOYSALES\MCSVR03$
MCCOYSALES\MCSVR04$
NT AUTHORITY\Authenticated Users

WMI Filteringshow
WMI Filter Name None
Description Not applicable

Delegationshow
These groups and users have the specified permission for this GPOName
Allowed Permissions Inherited
MCCOYSALES\Admin2 Custom No
MCCOYSALES\Enterprise Admins Read (from Security Filtering) No
MCCOYSALES\Terminal03$ Edit settings, delete, modify security No
MCCOYSALES\Terminal04$ Edit settings, delete, modify security No
MCCOYSALES\Admin1 Custom No
NT AUTHORITY\Authenticated Users Custom No
NT AUTHORITY\SYSTEM Custom No

Computer Configuration (Enabled)hide
Administrative Templateshide
System/Group Policyhide
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Replace


System/User Profileshide
Policy Setting
Add the Administrators security group to roaming user profiles Enabled
Delete cached copies of roaming profiles Enabled

Windows Components/Internet Explorer/Internet Control Panel/Advanced Pagehide
Policy Setting
Automatically check for Internet Explorer updates Disabled
Empty Temporary Internet Files folder when browser is closed Enabled
Play animations in web pages Disabled
Play sounds in web pages Disabled
Play videos in web pages Disabled

Windows Components/Terminal Serviceshide
Policy Setting
Enforce Removal of Remote Desktop Wallpaper Enabled
Limit number of connections Enabled
TS Maximum Connections allowed 1
Type 999999 for unlimited connections.

Policy Setting
Remove Disconnect option from Shut Down dialog Enabled
Remove Windows Security item from Start menu Enabled
Restrict Terminal Services users to a single remote session Enabled
Set path for TS Roaming Profiles Enabled
Profile path \\mcsvr01\TSProfiles
Specify the path in the form, \\Computername\Sharename
Do not append the user name to the profile path. Disabled

Policy Setting
Set the Terminal Server licensing mode Enabled
Specify the licensing mode for the terminal server. Per User

Policy Setting
Sets rules for remote control of Terminal Services user sessions Enabled
Options: Full Control without user's permission


Windows Components/Terminal Services/Client/Server data redirectionhide
Policy Setting
Allow audio redirection Disabled
Allow Time Zone Redirection Enabled
Do not allow COM port redirection Enabled
Do not allow LPT port redirection Enabled
Terminal Server Fallback Printer Driver Behavior Enabled
When Attempting to Find a Suitable Driver: Default to PCL if one is not
found.


Windows Components/Terminal Services/Sessionshide
Policy Setting
Set time limit for disconnected sessions Enabled
End a disconnected session 30 minutes

Policy Setting
Terminate session when time limits are reached Enabled

User Configuration (Enabled)hide
Windows Settingshide
Folder Redirectionhide
My Documentsshow
Setting: Basic (Redirect everyone's folder to the same location)show
Path: \\%HOMESHARE%%HOMEPATH%
Optionsshow
Grant user exclusive rights to My Documents Enabled
Move the contents of My Documents to the new location Enabled
Policy Removal Behavior Leave contents


"Vera Noest [MVP]" wrote:

> Are the TS machine accounts added to the security filtering of the
> GPO?
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>
> wrote on 05 jun 2008 in
> microsoft.public.windows.terminal_services:
>
> > Morning,
> >
> > I am trying to lockdown the desktop on my terminal servers via a
> > GPO called Terminal Services Lockdown. I used this guide mainly
> > to get find what I needed. The gpo is applied to the 2 TS
> > servers as well as a TS user group. When I log in a testuser I
> > run gpresult and find that my computer settings are not applying
> > but the user settings are. Any thoughts??
> >
> > http://www.msterminalservices.org/articles/Managing-Terminal-Serv
> > ices-Group-Policy.html
> >
> > Also I remember there being a white paper out about GPO on
> > Terminal services, anyone know of this??
> >
> > ----------------my gpresults from testuser
> > Microsoft (R) Windows (R) Operating System Group Policy Result
> > tool v2.0 Copyright (C) Microsoft Corp. 1981-2001
> >
> > Created On 6/4/2008 at 8:22:59 AM
> >
> >
> >
> > RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode
> > ------------------------------------------------------------
> >
> > OS Type: Microsoft(R) Windows(R) Server
> > 2003, Enterprise Edition
> > OS Configuration: Member Server
> > OS Version: 5.2.3790
> > Terminal Server Mode: Application Server
> > Site Name: N/A
> > Roaming Profile:
> > Local Profile: C:\Documents and Settings\testuser
> > Connected over a slow link?: No
> >
> >
> > USER SETTINGS
> > --------------
> > CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,
> > DC=local Last time Group Policy was applied: 6/4/2008 at
> > 8:22:21 AM Group Policy was applied from:
> > Group Policy slow link threshold: 500 kbps
> > Domain Name:
> > Domain Type: Windows 2000
> >
> > Applied Group Policy Objects
> > -----------------------------
> > McCoy Wireless LAN Policy
> > Terminal Services Lockdown
> > Default Domain Policy
> > Local Group Policy
> >
> > The following GPOs were not applied because they were
> > filtered out
> > -------------------------------------------------------------
> > ------
> > Small Business Server Remote Assistance Policy
> > Filtering: Disabled (GPO)
> >
> > Small Business Server Internet Connection Firewall
> > Filtering: Denied (WMI Filter)
> > WMI Filter: PreSP2
> >
> > Small Business Server - Windows Vista policy
> > Filtering: Denied (WMI Filter)
> > WMI Filter: Vista
> >
> > Small Business Server Client Computer
> > Filtering: Not Applied (Empty)
> >
> > Small Business Server Domain Password Policy
> > Filtering: Not Applied (Empty)
> >
> > Small Business Server Windows Firewall
> > Filtering: Denied (WMI Filter)
> > WMI Filter: PostSP2
> >
> > EnlightenUsers
> > Filtering: Not Applied (Empty)
> >
> > Small Business Server Lockout Policy
> > Filtering: Disabled (GPO)
> >
> > WSUS Client Policy
> > Filtering: Denied (Security)
> >
> > The user is a part of the following security groups
> > ---------------------------------------------------
> > Domain Users
> > Everyone
> > Remote Desktop Users
> > BUILTIN\Users
> > REMOTE INTERACTIVE LOGON
> > NT AUTHORITY\INTERACTIVE
> > NT AUTHORITY\Authenticated Users
> > This Organization
> > LOCAL
> > Wireless Users
> > Prophet21_Users
> > CERTSVC_DCOM_ACCESS
>
 
Run a Resultant Set of Policies for a normal user and a TS. Musat
be something in the permissions, maybe this:
> NT AUTHORITY\Authenticated Users Custom No

I'd also post in the group_policy newsgroup, you'll probably get
better help there.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>
wrote on 06 jun 2008 in
microsoft.public.windows.terminal_services:

> Yes, currently I have 2 TS servers in the gpo applying the group
> policy with full control. I also have some admin accounts
> denying the gpo.
>
> When I log in as an administrator I can see the computer
> settings but not as a domain user. These are my current settings
> for the GPO
>
> ------------------------------------------------------
> Terminal Services Lockdown
> Data collected on: 6/6/2008 8:35:14 AM show all
>
> Generalhide
> Detailsshow
> Domain mccoysales.local
> Owner Company1\Domain Admins
> Created 6/3/2008 9:36:04 AM
> Modified 6/6/2008 8:30:02 AM
> User Revisions 1 (AD), 1 (sysvol)
> Computer Revisions 26 (AD), 26 (sysvol)
> Unique ID {D9873791-6759-4AC3-8D1E-71A6E5129E16}
> GPO Status Enabled
>
> Linksshow
> Location Enforced Link Status Path
> Company1 Yes Enabled Company1.local
>
> This list only includes links in the domain of the GPO.
> Security Filteringshow
> The settings in this GPO can only apply to the following groups,
> users, and computers:Name
> MCCOYSALES\Enterprise Admins
> MCCOYSALES\MCSVR03$
> MCCOYSALES\MCSVR04$
> NT AUTHORITY\Authenticated Users
>
> WMI Filteringshow
> WMI Filter Name None
> Description Not applicable
>
> Delegationshow
> These groups and users have the specified permission for this
> GPOName Allowed Permissions Inherited
> MCCOYSALES\Admin2 Custom No
> MCCOYSALES\Enterprise Admins Read (from Security Filtering) No
> MCCOYSALES\Terminal03$ Edit settings, delete, modify security No
> MCCOYSALES\Terminal04$ Edit settings, delete, modify security No
> MCCOYSALES\Admin1 Custom No
> NT AUTHORITY\Authenticated Users Custom No
> NT AUTHORITY\SYSTEM Custom No
>
> Computer Configuration (Enabled)hide
> Administrative Templateshide
> System/Group Policyhide
> Policy Setting
> User Group Policy loopback processing mode Enabled
> Mode: Replace
>
>
> System/User Profileshide
> Policy Setting
> Add the Administrators security group to roaming user profiles
> Enabled Delete cached copies of roaming profiles Enabled
>
> Windows Components/Internet Explorer/Internet Control
> Panel/Advanced Pagehide Policy Setting
> Automatically check for Internet Explorer updates Disabled
> Empty Temporary Internet Files folder when browser is closed
> Enabled Play animations in web pages Disabled
> Play sounds in web pages Disabled
> Play videos in web pages Disabled
>
> Windows Components/Terminal Serviceshide
> Policy Setting
> Enforce Removal of Remote Desktop Wallpaper Enabled
> Limit number of connections Enabled
> TS Maximum Connections allowed 1
> Type 999999 for unlimited connections.
>
> Policy Setting
> Remove Disconnect option from Shut Down dialog Enabled
> Remove Windows Security item from Start menu Enabled
> Restrict Terminal Services users to a single remote session
> Enabled Set path for TS Roaming Profiles Enabled
> Profile path \\mcsvr01\TSProfiles
> Specify the path in the form, \\Computername\Sharename
> Do not append the user name to the profile path. Disabled
>
> Policy Setting
> Set the Terminal Server licensing mode Enabled
> Specify the licensing mode for the terminal server. Per User
>
> Policy Setting
> Sets rules for remote control of Terminal Services user sessions
> Enabled Options: Full Control without user's permission
>
>
> Windows Components/Terminal Services/Client/Server data
> redirectionhide Policy Setting
> Allow audio redirection Disabled
> Allow Time Zone Redirection Enabled
> Do not allow COM port redirection Enabled
> Do not allow LPT port redirection Enabled
> Terminal Server Fallback Printer Driver Behavior Enabled
> When Attempting to Find a Suitable Driver: Default to PCL if one
> is not found.
>
>
> Windows Components/Terminal Services/Sessionshide
> Policy Setting
> Set time limit for disconnected sessions Enabled
> End a disconnected session 30 minutes
>
> Policy Setting
> Terminate session when time limits are reached Enabled
>
> User Configuration (Enabled)hide
> Windows Settingshide
> Folder Redirectionhide
> My Documentsshow
> Setting: Basic (Redirect everyone's folder to the same
> location)show Path: \\%HOMESHARE%%HOMEPATH%
> Optionsshow
> Grant user exclusive rights to My Documents Enabled
> Move the contents of My Documents to the new location Enabled
> Policy Removal Behavior Leave contents
>
>
> "Vera Noest [MVP]" wrote:
>
>> Are the TS machine accounts added to the security filtering of
>> the GPO?
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?Tm9uY2VudHo=?= <Noncentz@discussions.microsoft.com>
>> wrote on 05 jun 2008 in
>> microsoft.public.windows.terminal_services:
>>
>> > Morning,
>> >
>> > I am trying to lockdown the desktop on my terminal servers
>> > via a GPO called Terminal Services Lockdown. I used this
>> > guide mainly to get find what I needed. The gpo is applied to
>> > the 2 TS servers as well as a TS user group. When I log in a
>> > testuser I run gpresult and find that my computer settings
>> > are not applying but the user settings are. Any thoughts??
>> >
>> > http://www.msterminalservices.org/articles/Managing-Terminal-S
>> > erv ices-Group-Policy.html
>> >
>> > Also I remember there being a white paper out about GPO on
>> > Terminal services, anyone know of this??
>> >
>> > ----------------my gpresults from testuser
>> > Microsoft (R) Windows (R) Operating System Group Policy
>> > Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001
>> >
>> > Created On 6/4/2008 at 8:22:59 AM
>> >
>> >
>> >
>> > RSOP data for MCCOYSALES\testuser on MCSVR03 : Logging Mode
>> > ------------------------------------------------------------
>> >
>> > OS Type: Microsoft(R) Windows(R) Server
>> > 2003, Enterprise Edition
>> > OS Configuration: Member Server
>> > OS Version: 5.2.3790
>> > Terminal Server Mode: Application Server
>> > Site Name: N/A
>> > Roaming Profile:
>> > Local Profile: C:\Documents and
>> > Settings\testuser Connected over a slow link?: No
>> >
>> >
>> > USER SETTINGS
>> > --------------
>> > CN=TestUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysal
>> > es, DC=local Last time Group Policy was applied: 6/4/2008
>> > at 8:22:21 AM Group Policy was applied from:
>> > Group Policy slow link threshold: 500 kbps
>> > Domain Name:
>> > Domain Type: Windows 2000
>> >
>> > Applied Group Policy Objects
>> > -----------------------------
>> > McCoy Wireless LAN Policy
>> > Terminal Services Lockdown
>> > Default Domain Policy
>> > Local Group Policy
>> >
>> > The following GPOs were not applied because they were
>> > filtered out
>> > ----------------------------------------------------------
>> > --- ------
>> > Small Business Server Remote Assistance Policy
>> > Filtering: Disabled (GPO)
>> >
>> > Small Business Server Internet Connection Firewall
>> > Filtering: Denied (WMI Filter)
>> > WMI Filter: PreSP2
>> >
>> > Small Business Server - Windows Vista policy
>> > Filtering: Denied (WMI Filter)
>> > WMI Filter: Vista
>> >
>> > Small Business Server Client Computer
>> > Filtering: Not Applied (Empty)
>> >
>> > Small Business Server Domain Password Policy
>> > Filtering: Not Applied (Empty)
>> >
>> > Small Business Server Windows Firewall
>> > Filtering: Denied (WMI Filter)
>> > WMI Filter: PostSP2
>> >
>> > EnlightenUsers
>> > Filtering: Not Applied (Empty)
>> >
>> > Small Business Server Lockout Policy
>> > Filtering: Disabled (GPO)
>> >
>> > WSUS Client Policy
>> > Filtering: Denied (Security)
>> >
>> > The user is a part of the following security groups
>> > ---------------------------------------------------
>> > Domain Users
>> > Everyone
>> > Remote Desktop Users
>> > BUILTIN\Users
>> > REMOTE INTERACTIVE LOGON
>> > NT AUTHORITY\INTERACTIVE
>> > NT AUTHORITY\Authenticated Users
>> > This Organization
>> > LOCAL
>> > Wireless Users
>> > Prophet21_Users
>> > CERTSVC_DCOM_ACCESS
>>
 
Back
Top