SBS 2011 Group Policy and Terminal Servers

Question

I'm trying to configure group policy for the terminal servers, and the users that will logon to it.

I created a OU in active directory called TERMINAL-SERVERS, then i moved Terminalsrv1 and terminalsrv2 to the ou.

Created a GPO linked to the OU TERMINAL-SERVERS, and made some changes to the policy to allow roaming profiles for terminal servers.

This works great, and it seems to apply the policy to the terminal servers.

However when i make changes to user configuration, and logon to the terminal server as a user it won't apply the policy. When doing a GPresult /r it shows me that it neither applied, or denied the policy i created in the OU TERMINAL-SERVERS.

But when i link the TERMINAL-SERVERS GPO to SBSUsers under MYBUSINESS\Users\SBSUSers

It applies it to the user, the problem is that it will do this to every computer.

I only want to apply the policy to users logging in on terminal servers.

Where lies the problem?

OU= TERMINAL-SERVERS applied to verified users.

Answer 1

You are looking for the option to enable loopback processing for the group policy.

Group policies are by default determined by the OU the object is located in. As your users are not in the TERMINAL-SERVERS OU, the policy is not applied to them. Enabling loopback processing changes that if they log on to a computer located in the TERMINAL-SERVERS OU

Answer 2

You have three key misunderstandings here:

1) A GPO, by default, will only apply to objects which are in the OU

2) Computers will only ever process the "Computer" side of the policy

3) Users will only ever apply the "User" side of the policy

It's generally considered best practice to separate GPO's for User and Computer policies to help avoid confusion and make it clearer what's applying where.

In your case, you either need to create a separate policy for the Users and apply it to your SBSUsers OU, or use LoopBack policy to avoid the limitation listed in (1)