Group Policies - GPOs

GPOs

When configuring a Terminal Server, Group Policies should be your first choice, rather than using the Terminal Services Configuration tool. The main advantage is that the settings will be applied to all servers in your farm, ensuring identical settings on all servers.

A crucial option in any TS-related GPO is loopback processing. This setting allows you to define a set of user settings, which will only be applied to users when they log on to the Terminal Server, without affecting them when they log on to their workstation.

The basic steps to use a GPO to configure a Terminal Server:

1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the "Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server machine account
5. add the Terminal Server machine account to the security list of the GPO
6. add a User group to the security list of the GPO (or keep the default entry for "Authenticated Users" if you want the settings in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select "Deny" for the right to "Apply this policy" (see KB 816100)

How-To's, White papers

Windows Server 2008 / Vista

Windows Server 2008 introduces Group Policy Preferences, in addition to Group Policy settings. Confused? Read all about it here:

• Windows Server 2008 TechCenter: Group Policy
• Download the Group Policy Preferences overview
• Group Policy Preferences FAQ
• 943729 - Information about new Group Policy preferences in Windows Server 2008

• Windows Server 2008 & Group Policy Management Console (GPMC)
• Download the Planning and Deploying Group Policy guide
• Download the Managing Group Policy ADMX Files Step-by-Step Guide
• Download the ADMX Migrator - utility to convert your existing Group Policy ADM Templates to the new ADMX format
• 929841 - How to create a Central Store for Group Policy Administrative Templates in Window Vista
• Download the Group Policy Settings Reference for Windows Server 2008
• Group Policy Settings for Terminal Services in Windows Server 2008

Windows Server 2003 / XP / 2000

• Step-by-Step Guide for Configuring Group Policy for Terminal Services
• Download the Windows Server 2003 Group Policy Infrastructure White Paper
• Download the Group Policy Settings Reference for Windows 2003
• Download the Group Policy Management Console - 2003
• Download the Group Policy ADM Files for each OS / SP combination of W2K, XP and 2003
• 260370 - How to Apply Group Policy Objects to Terminal Services Servers
• 231287 - Loopback Processing of Group Policy
• 816100 - How To Prevent Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows Server 2003
• How can I lock down my standalone TS with a local policy without locking down the Administrator account?
• Download the Using Administrative Template Files with Registry-Based Group Policy White Paper (2003 and XP)
• 910203 - How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments
• 816662 - Recommendations for managing Group Policy administrative template (.adm) files (2003)



• 322143 - HOW TO: Administer GPOs in Windows 2000
• 323639 - HOW TO: Create Custom Administrative Templates in Windows 2000
• 307900 - Upgrading Windows 2000 Group Policy for Windows XP (applies also to 2003)

Known problems and trubleshooting tools

Windows 2008

• 950876 - Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled

• 250842 - Troubleshooting Group Policy Application Problems
• Download Group Policy Log View - a utility you use to export Group Policy event data from the system and operational log into a text, HTML, or XML file
• 940122 - How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data
• 910206 - How to troubleshoot Group Policy object processing failures that occur across multiple forests
• 887303 - Applying Group Policy causes Userenv errors and events to occur on your computers that are running Windows Server 2003, Windows XP, or Windows 2000
• 932460 - Error message when a domain administrator or a local administrator uses the GPResult.exe tool or runs an RSoP query in Windows Server 2003: “Access denied”
• 896669 - When use the Group Policy Object Editor on a computer that is running Windows Server 2003 or Windows XP to change GPOs on a remote domain controller, the changes do not take affect for a long time
• 951059 - On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer
• 555218 - Some Group Policy areas are missing from the Group Policy Editor

TS related GPO issues

• 274443 - How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
• 888203 - How to stop Folder Redirection in Windows Server 2003 and in Windows 2000 Server
• 938380 - After you apply a GPO to redirect a folder to a network share on Windows XP-based or on Windows Server 2003-based client computers, the redirected folder is empty
• 949143 - Windows Vista-specific folder redirection policies are removed from a GPO when you connect to an AGPM server component that is installed on a Windows Server 2003-based member server



• 231289 - Using Group Policy Objects to hide specified drives
• 818465 - HOW TO: Use Group Policy to Permit Users to Redirect and Play Audio in a Remote Desktop Session to Terminal Services in Windows Server 2003
• 324807 - How To Use Group Policy to Configure Automatic Logon in Windows Server 2003 Terminal Services
• 890864 - Some idle session Group Policy settings do not work if you try to use them on a Microsoft Windows XP Professional-based computer that is in a domain environment
• 839918 - Hotfix that lets you control whether a user can save a password for Remote Desktop Connection sessions to a terminal server in Windows XP or in Windows 2000