Eaglec
April 16th, 2004, 04:16 AM
I've been struggling with my new server system this week, now before I go on let me just warn you this is not 'general user' stuff so if you dont understand a word of it thats just fine. Then again I also know we have some real true geeks in the community and I'm hoping one of those might come up with something clever, or hopefully something simple.
The Setup
2x Windows 2003 Standard Edition Servers set as Domain Controllers, Global Catalogue servers and DNS is installed only (not WINS)
2x Windows 2003 Enterprise Edition Servers set as file and application servers - although for the purposes of this problem these might as well not exist.
4x Windows 2003 Enterprise Edition Terminal Servers, in a NLB Cluster.
1st User with "Domain User" and "Remote Desktop" access to the cluster who is also a local Power User for Terminal Server 1
2nd User with "Domain User" and "Remote Desktop" access to the cluster who is also a local administrator for Terminal Server 1
An Organisational Unit in the Domain Tree with 2 Group Policies Objects linked to it.
I placed both users in the OU and if I log in with "1st User" the GP Rules do not get applied. For 2nd User they work perfectly. If I promote User1 to Local Admin then Group Policy Applies perfectly for him too.
I have run GPReslut and get this output
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 16/04/2004 at 08:37:16
RSOP data for ENABLE\template1 on TS1 : Logging Mode
-----------------------------------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: ENABLE
Roaming Profile: \\enable.local\profile1\Template1
Local Profile: C:\Documents and Settings\template1
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Template 1,OU=Enable Users,DC=enable,DC=local
Last time Group Policy was applied: N/A
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: ENABLE
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Start Menu and TaskBar
Windows/IE settings
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Power Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
As you can see it CLAIMS the GPO's are being applied but they are quit clearly not.
Same results from GPMC.
I have tried this several times and it seems on the terminal services servers only user accounts in the local administrators group can apply the GPO, which seems just ever so slightly completely insane.
Please, someone help me...
The Setup
2x Windows 2003 Standard Edition Servers set as Domain Controllers, Global Catalogue servers and DNS is installed only (not WINS)
2x Windows 2003 Enterprise Edition Servers set as file and application servers - although for the purposes of this problem these might as well not exist.
4x Windows 2003 Enterprise Edition Terminal Servers, in a NLB Cluster.
1st User with "Domain User" and "Remote Desktop" access to the cluster who is also a local Power User for Terminal Server 1
2nd User with "Domain User" and "Remote Desktop" access to the cluster who is also a local administrator for Terminal Server 1
An Organisational Unit in the Domain Tree with 2 Group Policies Objects linked to it.
I placed both users in the OU and if I log in with "1st User" the GP Rules do not get applied. For 2nd User they work perfectly. If I promote User1 to Local Admin then Group Policy Applies perfectly for him too.
I have run GPReslut and get this output
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 16/04/2004 at 08:37:16
RSOP data for ENABLE\template1 on TS1 : Logging Mode
-----------------------------------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration: Member Server
OS Version: 5.2.3790
Terminal Server Mode: Application Server
Site Name: ENABLE
Roaming Profile: \\enable.local\profile1\Template1
Local Profile: C:\Documents and Settings\template1
Connected over a slow link?: No
USER SETTINGS
--------------
CN=Template 1,OU=Enable Users,DC=enable,DC=local
Last time Group Policy was applied: N/A
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: ENABLE
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Start Menu and TaskBar
Windows/IE settings
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
Remote Desktop Users
BUILTIN\Users
BUILTIN\Power Users
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
As you can see it CLAIMS the GPO's are being applied but they are quit clearly not.
Same results from GPMC.
I have tried this several times and it seems on the terminal services servers only user accounts in the local administrators group can apply the GPO, which seems just ever so slightly completely insane.
Please, someone help me...