Gpo not being applied to terminal server sessions

phoeneous · September 2009

We just got a new 2008 TS box and Im trying to lock it down. For some reason, the gpo isnt being applied to users when they connect to the ts. Here are the steps Ive done:

1. Created a TS OU
2. Created a TS security group
3. Created a test users
4. Put the test user in the TS security group
5. Put the TS sercurity group in the TS OU
6. With gpmc, created a sample gpo that locks down desktop and start menu
7. Linked and applied that gpo to the TS OU

When the test user logs in, the gpo isnt being applied as verified with gpresult. Thoughts?

RobertKaucher · September 2009

I am fairly certain that security groups are normaly filtered out of GPO processing because of the huge amount of complexity it could cause. You would basically be allowing a user to belong to multiple OUs, which could cause huge conflicts in GPO processing. You can still do it , though. You just have to grant the group the apply gpo permission.

Yes of course you can assign Group Policies to Security Groups! - MS Windows Vista Compatible Software

aordal · September 2009

GPOs arent applied to security groups. You have to apply the GP to users or computers. You can delimite by a security group but only if the users that are in the security group are in the OU that the GP is linked to.

Hopefully that makes sense. What I would do is make those settings in the Computer Configuration. Then link that to an OU with your terminal server in it (make it's own OU or delimite it by using a security group and modify the GP to only be read/applied by that Security group) and make sure you enable Loopback Processing in the GP.

Try that out.

phoeneous · September 2009

Got it to work, thanks guys!

Gpo not being applied to terminal server sessions

Comments