loopback processing

This follows the conversation GP to computer in the middle of April in this
conference.

I have been trying all the stuff you adviced:

>Loopback should work for you, just apply the gpo settings on the ou where
>the TS resides and set the loopback option.
>
>LoopBack
>http://support.microsoft.com/?kbid=231287
>
>Example of use
>http://www.msterminalservices.org/ar...up-Policy.html

It works except that the policy on the terminal server is applied to the
admins as well which is quite undesirable, I found a lot of info but the
general advice to deny the policy for the admin does not work, the user
settings in the loopback policy I created is not applied for the admin but
the computer settings is applied.

The settings of the loopback policy is in general according to
http://www.msterminalservices.org/ar...up-Policy.html

The permissions:
Authenticated users: read, apply
Creator owner: special permissions
Domain admins: read, write, create, delete, apply DENY
enterprise admins: read, write, create, delete
enterprise domain controllers: read
Terminal server computer: read, apply
system: read, write, create, delete

I must be missing some information. Any ideas?
Many thanks

Bobby, try a GP result using GPMC which will give you a better Idea as to
which poicly is winning and why?
Hope this Policy is not a Local Policy on the machine ?


"Bobby Gontarski" wrote:

> This follows the conversation GP to computer in the middle of April in this
> conference.
>
> I have been trying all the stuff you adviced:
>
> >Loopback should work for you, just apply the gpo settings on the ou where
> >the TS resides and set the loopback option.
> >
> >LoopBack
> >http://support.microsoft.com/?kbid=231287
> >
> >Example of use
> >http://www.msterminalservices.org/ar...up-Policy.html
>
> It works except that the policy on the terminal server is applied to the
> admins as well which is quite undesirable, I found a lot of info but the
> general advice to deny the policy for the admin does not work, the user
> settings in the loopback policy I created is not applied for the admin but
> the computer settings is applied.
>
> The settings of the loopback policy is in general according to
> http://www.msterminalservices.org/ar...up-Policy.html
>
> The permissions:
> Authenticated users: read, apply
> Creator owner: special permissions
> Domain admins: read, write, create, delete, apply DENY
> enterprise admins: read, write, create, delete
> enterprise domain controllers: read
> Terminal server computer: read, apply
> system: read, write, create, delete
>
> I must be missing some information. Any ideas?
> Many thanks
>
>
>
>

I am always using it, but cannot determine the reason:
the computer configuration is incorectly applied to administrator and is
listed under applied GPO even for a member of domain admins, this group has
denied in the apply policy permission

terminal_clients mydomain.local/Terminal servers
AD (46), Sysvol (46)


The user configuration is correctly denied for the administrator

terminal_clients mydomain.local
Access Denied (Security Filtering)


It is certainly my mistake in some step of the configuration but I cannot
find it.

Thanks for help.

"maverick" <maverick@discussions.microsoft.com> pí¹e v diskusním pøíspìvku
news:D71AFF6D-5B9D-49E1-AC0C-EF45DD15EAC6@microsoft.com...
> Bobby, try a GP result using GPMC which will give you a better Idea as to
> which poicly is winning and why?
> Hope this Policy is not a Local Policy on the machine ?
>
>
> "Bobby Gontarski" wrote:
>
>> This follows the conversation GP to computer in the middle of April in
>> this
>> conference.
>>
>> I have been trying all the stuff you adviced:
>>
>> >Loopback should work for you, just apply the gpo settings on the ou
>> >where
>> >the TS resides and set the loopback option.
>> >
>> >LoopBack
>> >http://support.microsoft.com/?kbid=231287
>> >
>> >Example of use
>> >http://www.msterminalservices.org/ar...up-Policy.html
>>
>> It works except that the policy on the terminal server is applied to the
>> admins as well which is quite undesirable, I found a lot of info but the
>> general advice to deny the policy for the admin does not work, the user
>> settings in the loopback policy I created is not applied for the admin
>> but
>> the computer settings is applied.
>>
>> The settings of the loopback policy is in general according to
>> http://www.msterminalservices.org/ar...up-Policy.html
>>
>> The permissions:
>> Authenticated users: read, apply
>> Creator owner: special permissions
>> Domain admins: read, write, create, delete, apply DENY
>> enterprise admins: read, write, create, delete
>> enterprise domain controllers: read
>> Terminal server computer: read, apply
>> system: read, write, create, delete
>>
>> I must be missing some information. Any ideas?
>> Many thanks
>>
>>
>>
>>

Hmm not very good is it!
Try this if you can...

1) create a new policy with just one setting that you think is applying to
the administrator.
2) Disable the actual policy which is a problem presently.

Now if the administrator is still getting the denied policy(from the new
policy) then take a backup of the admin profile(I am assuming that there will
be more than one admins on this machine)...and delete the profile..check the
policy.

If the policy still comes down after this...reply to me with the way the
OU's are organized and where the policy is applied and the ACL delegation for
domain admins in GPMC...

Hope this helps you...
Thanks
Maverick

"Bobby Gontarski" wrote:

> I am always using it, but cannot determine the reason:
> the computer configuration is incorectly applied to administrator and is
> listed under applied GPO even for a member of domain admins, this group has
> denied in the apply policy permission
>
> terminal_clients mydomain.local/Terminal servers
> AD (46), Sysvol (46)
>
>
> The user configuration is correctly denied for the administrator
>
> terminal_clients mydomain.local
> Access Denied (Security Filtering)
>
>
> It is certainly my mistake in some step of the configuration but I cannot
> find it.
>
> Thanks for help.
>
> "maverick" <maverick@discussions.microsoft.com> pÃ*¹e v diskusnÃ*m pøÃ*spìvku
> news:D71AFF6D-5B9D-49E1-AC0C-EF45DD15EAC6@microsoft.com...
> > Bobby, try a GP result using GPMC which will give you a better Idea as to
> > which poicly is winning and why?
> > Hope this Policy is not a Local Policy on the machine ?
> >
> >
> > "Bobby Gontarski" wrote:
> >
> >> This follows the conversation GP to computer in the middle of April in
> >> this
> >> conference.
> >>
> >> I have been trying all the stuff you adviced:
> >>
> >> >Loopback should work for you, just apply the gpo settings on the ou
> >> >where
> >> >the TS resides and set the loopback option.
> >> >
> >> >LoopBack
> >> >http://support.microsoft.com/?kbid=231287
> >> >
> >> >Example of use
> >> >http://www.msterminalservices.org/ar...up-Policy.html
> >>
> >> It works except that the policy on the terminal server is applied to the
> >> admins as well which is quite undesirable, I found a lot of info but the
> >> general advice to deny the policy for the admin does not work, the user
> >> settings in the loopback policy I created is not applied for the admin
> >> but
> >> the computer settings is applied.
> >>
> >> The settings of the loopback policy is in general according to
> >> http://www.msterminalservices.org/ar...up-Policy.html
> >>
> >> The permissions:
> >> Authenticated users: read, apply
> >> Creator owner: special permissions
> >> Domain admins: read, write, create, delete, apply DENY
> >> enterprise admins: read, write, create, delete
> >> enterprise domain controllers: read
> >> Terminal server computer: read, apply
> >> system: read, write, create, delete
> >>
> >> I must be missing some information. Any ideas?
> >> Many thanks
> >>
> >>
> >>
> >>
>
>
>