# Solved: Group Policy Nightmares



## mseto2 (May 5, 2011)

Ok guys, in AD I have an OU for our lab servers. I want end users to be able to RDP to them.

I right clicked the OU, Properties, Group Policy, Enabled RDP in Terminal Services and also added allow users to login via TS, two different settings in Group Policy.

I did a command prompt to force the changes down 'gpupdate /force'

Now, when I go to RDP to the servers, I get that same message "you must be granted logon permissions through terminal services"










If I have created this group policy for the OU, why am I still having issues?

This seems like it wants me to go to each server and add the users in through local policy, one by one, server by server. It can't be this tedious, can it?

Please help! and thank you so much!


----------



## DariusSupport (Apr 5, 2011)

take the login by TS off the GPO. probably a typo, but gupdate should be gpupdate /force.


----------



## mseto2 (May 5, 2011)

Yes, it was a typo.

I tried without the login by TS the first time but no go. Should that be the only thing I need to do?


----------



## DariusSupport (Apr 5, 2011)

my feeling would be that the update erased a bunch of settings in order to engage RD, it can happen with any update from MS it just happened to be that one this time. reset your RD on the server and the computers not being allowed to rd right now and that will get you closer to copleting the task.


----------



## Rockn (Jul 29, 2001)

Do you have the proper TS licensing in place? Normally only administrative type users can RDP to the server. I believe they also need to be part of the Remote Desktop Users Group


----------



## mseto2 (May 5, 2011)

Well, this is for simple RDP even. I created the GPO for the OU...but it still seems to want me to add the users to the local RDP group for each server, I thought GP could populate this all for me for all of the servers in the OU.

Another thing not functioning now, I created another GPO for the OU restricting access to the registry, did a gpupdate /force and then it still let me open the registry right after I logged on to a server after that.....what the **$*$*


----------



## Rockn (Jul 29, 2001)

Rug the group policy results wizard against the computer and user account the GPO is running against. Some policys require a reboot before they will apply correctly. And a warning that some settings tattoo themselves and do not get removed once they are disabled in a GPO


----------



## mseto2 (May 5, 2011)

Well, heres an update, just for testing I added the registry disable setting inside the default GPO "Default Domain Policy", did a gpupdate, logged off and logged back on the target machine and it worked. Registry editing disabled.

However, why isn't my policy I made being applied?

It doesn't even list it when I run a gpresult on the target machine, just keeps listing the "Default Domain Policy"...


----------



## Rockn (Jul 29, 2001)

Do you have the computer and user inside of the OU you created? Is the GPO linked to the OU? Did you apply settings to the user or the computer in the GPO?


----------



## mseto2 (May 5, 2011)

OHHHHH wow, what a simple thing to fix. My users weren't in the OU, so the ***USER*** GPO policy wasn't taking effect...didn't realize the difference.....

Thanks so much for your help guys!


----------

