Group Policy Issues

[Eaglec]

I've been struggling with my new server system this week, now before I go on let me just warn you this is not 'general user' stuff so if you dont understand a word of it thats just fine. Then again I also know we have some real true geeks in the community and I'm hoping one of those might come up with something clever, or hopefully something simple.

The Setup
2x Windows 2003 Standard Edition Servers set as Domain Controllers, Global Catalogue servers and DNS is installed only (not WINS)
2x Windows 2003 Enterprise Edition Servers set as file and application servers - although for the purposes of this problem these might as well not exist.
4x Windows 2003 Enterprise Edition Terminal Servers, in a NLB Cluster.

1st User with "Domain User" and "Remote Desktop" access to the cluster who is also a local Power User for Terminal Server 1
2nd User with "Domain User" and "Remote Desktop" access to the cluster who is also a local administrator for Terminal Server 1

An Organisational Unit in the Domain Tree with 2 Group Policies Objects linked to it.

I placed both users in the OU and if I log in with "1st User" the GP Rules do not get applied. For 2nd User they work perfectly. If I promote User1 to Local Admin then Group Policy Applies perfectly for him too.

I have run GPReslut and get this output

Code:

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 16/04/2004 at 08:37:16



RSOP data for ENABLE\template1 on TS1 : Logging Mode
-----------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration:            Member Server
OS Version:                  5.2.3790
Terminal Server Mode:        Application Server
Site Name:                   ENABLE
Roaming Profile:             \\enable.local\profile1\Template1
Local Profile:               C:\Documents and Settings\template1
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=Template 1,OU=Enable Users,DC=enable,DC=local
    Last time Group Policy was applied: N/A
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ENABLE
    Domain Type:                        Windows 2000
    
    Applied Group Policy Objects
    -----------------------------
        Start Menu and TaskBar
        Windows/IE settings
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Remote Desktop Users
        BUILTIN\Users
        BUILTIN\Power Users
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL

As you can see it CLAIMS the GPO's are being applied but they are quit clearly not.
Same results from GPMC.

I have tried this several times and it seems on the terminal services servers only user accounts in the local administrators group can apply the GPO, which seems just ever so slightly completely insane.

Please, someone help me...

[CeeBee]

For the GP, under Properties>Security check the permissions for "Read" and "Apply", and make sure the said user has them.

[Eaglec]

Sorry, I should have mentioned I have checked this and Read and Apply is set for Authenticated Users and Everyone. The problem definately seems tied to local rights not domain rights.

[NooNoo]

I rarely play with this stuff but this seems to be about inheritance?

[Eaglec]

There is nothing inherited except the default policy. Which has no conflicting rules. The really confusing things are
1) GPResult and GPMC both tell me that the policies are being applied and that the required policy settings are comming from the GPO's that I want them to come from. Yet they so very obviously aren't.
2) The policy is enforced properly for Users in the 'local' administrators group so I could work around this issue by placing domain users into local admins and then restricting the users rights with a group policy back to the required level. Seems like insanity.
3) Especially odd, the gpresult output for user 'Template1' is the same if that user is in the local admins group or not. Even though the actual result of the GPO is quite different.