none
Group Policy Not Applying - Server 2008

    Question

  • This just randomly stopped working.

    ====The policy===
    This policy applies a bunch of restrictions, but the thing that isn't working is 2 drive maps I have configured.  It stopped working then started working again now it stopped again.  I have them set up as follows:

    Action: Replace
    Location:: \\192.168.x.x\SHARE1
    Reconnect: [yes] Label as: SHARE1
    Driver letter: USE: W
    connect as (optional): domain\administrator
    Password: xxxxxxxx Confirm Password: xxxxxxxx

    ===What is happening===
    I get an error saying they couldn't be mapped, and when I click on them I have to type in the administrator password.  I dried DELETING the drive maps from the policy, and they STILL APPLIED (same error as before).  I tried changing them to use IP addresses instead of hostnames, but when I log on they STILL SHOW THE OLD HOSTNAMES.

    ===The Setup===
    Box1: Server 2003 running terminal services
    Box2: Server 2008 running terminal services

    Box3: Server 2003 running as a domain controller (active directory/group policy)
    Box4: Server 2008 running as a domain controller (active directory/group policy)

    ===Thoughts===
    Is it possible since server 2003 doesn't have the same group policy setup that it's somehow interfering with the policy?

    So people of the internets, I call upon your mighty wisdom.  Why would my policy not allow me to change it, or delete it?

    I'm always running gpupdate /force on the domain controllers when I change the settings to no avail.

    EDIT:
    Also, I've checked event viewer on all the system which also shows nothing useful
    Friday, April 03, 2009 11:23 PM

Answers

  • Hi,

    As Michael explained, it’s not suggested to provide administrator password for normal user access.

    Please remove the "connect as" settings so that users log on their own credentials. You may need to configure the share folder’s permission to get this work. Configure the following permissions:

    Share Permission:

    Administrators: Full Control
    System: Full Control
    Authenticated Users: Full Control

    NTFS Permission:

    Administrators: Full Control
    System: Full Control
    Creator Owner: Full Control
    Authenticated Users: Read & Execute, List Folder Contents, Read

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, April 08, 2009 6:18 AM

All replies

  • bump... anybody have any idea? I really need help with this!
    Monday, April 06, 2009 3:27 PM
  • bump.............
    Monday, April 06, 2009 10:07 PM
  • I have a group policy set up in server 2008.  It maps some drives, creates some shortcuts, and restricts the user from doing a lot of things.

    So I log on to my terminal server via remote desktop form my workstation.  Great! Worked!  I go out on the floor to a wyse terminal and use remote desktop to connect from there.  It works, except my drive maps had get an error when I try and access them: Incorrect password or unknown username for: <shared folder path>.  It's definitely not wrong since I've been dicking around with this for a week.  domainname\administrator, then the password.

    From this point forth the group policy is locked.  If I delete the policy then the policy still applies to that user.  This time around, I had created everything from bare bone scratch.  New OU, with new GPO attached, with a new user in that OU.

    I don't know if this makes a difference but there is a server 2003 box in this domain too.  It is also a domain controller.

    Why would the group policy apply once, then never again for the user credentials?

    Thanks for any help,
    Steve
    Monday, April 06, 2009 11:31 PM
  • Hi,

    This issue may occur if the Slow Links was detected. Please configure the following settings to enhance IE settings.

    Computer Config / Administrative Templates / System / Group Policy / Drive Map Policy Processing

    Set the properties to enable:
    -"Allow processing across a slow network connection"
    -"process even if the Group Policy objects have not changed"

    If the clients are Windows XP, please also try to disable Fast Logon Optimization.

    Description of the Windows XP Professional Fast Logon Optimization feature
    http://support.microsoft.com/kb/305293

    After that, please run "gpupdate /force" and try to test.

    If the issue persists, open GPMC, right-click the Group Policy Results, choose Group Policy Results Wizard for a user, right-click the result, choose Save Report and send the report to tfwst@microsoft.com for research.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, April 07, 2009 9:35 AM
  • Thanks so much for the reply.  Unfortunately, it didn't fix my problem.  I did as suggested and created the report and emailed it.  I think it doesn't work with what you suggested because when I remote desktop into it I'm using a linux machine, not a windows machine.  The wyse terminals run windows XPe, but the thin clients run a stripped down version of linux that's core purpose is to RDP into a terminal server.

    Any other suggestions?

    EDIT:

    I've tracked down the problem but I don't know how to fix it!!
    I created a GPO with ONLY drive map policies enabled.  Let me note that this is 1 user account intended for multiple users.  If one terminal logs on, the drives map flawlessly!  But once a second one logs on, it prompts for a password.  To test this theory, I switched who logged on first on the two terminals, and this is definitely what is happening.  Is there a proper setting to prevent this from happening?  Currently I'm using "replace" mode on the drive maps.
    Tuesday, April 07, 2009 3:59 PM
  • Hi Steve,

    This is difficult to diagnose as theres quite a bit of information missing.

    Questions for you:

    1. Are you running in Terminal Services Application mode or Admin mode?
    2. Why are you specifying high privilege credentials in your GPP drive mapping? This is unnecessary in this instance and also not a good practice.
    3. Are you running a 2008 domain controller as a terminal server?
    4. Are your share and NTFS level permissions covered correctly?
    5. When you do these two test logons are they the same logon account?

    Answers to some qtns you asked:

    1. There is no issue with Server 2003 and 2008 DC's in the same domain unless yo made the forest and/or domain functional Windows Server 2008 mode.
    2. I think you posted on this before, but you used a replace operation on GPP. The replace operation occurs everytime the user logons on.
    3. To check policy application, Use the Event Logging or GpLogview to help you diagnose if the policy is even getting to the machine.


    Michael Kleef
    Program Manager
    Tuesday, April 07, 2009 8:03 PM
  • Ive asked a number of questions and provided answers about this in the other similar question you asked. Could you please limit the threads if they are the same theme and issue?

    Regards

    Michael Kleef
    Program Manager
    Tuesday, April 07, 2009 8:05 PM
  • My apologies.  Ignore my other thread.


    Hi Steve,

    This is difficult to diagnose as theres quite a bit of information missing.

    Questions for you:

    1. Are you running in Terminal Services Application mode or Admin mode?
    2. Why are you specifying high privilege credentials in your GPP drive mapping? This is unnecessary in this instance and also not a good practice.
    3. Are you running a 2008 domain controller as a terminal server?
    4. Are your share and NTFS level permissions covered correctly?
    5. When you do these two test logons are they the same logon account?

    Answers to some qtns you asked:

    1. There is no issue with Server 2003 and 2008 DC's in the same domain unless yo made the forest and/or domain functional Windows Server 2008 mode.
    2. I think you posted on this before, but you used a replace operation on GPP. The replace operation occurs everytime the user logons on.
    3. To check policy application, Use the Event Logging or GpLogview to help you diagnose if the policy is even getting to the machine.


    Michael Kleef
    Program Manager

    I would like to start this series of questions by first stating I did not start this domain, and it's been bashed by administrators along the line.  I currently am trying to change things around, as a lot of things are already against practice. 

    1. I'm not sure the difference... if by admin mode you mean they are logging on as administrators, no.
    2. answered above
    3. Unfortunately YES, and I KNOW this is bad practice.  The previous administrator set it up this way, BUT the DC machine is virtualizing the TS
    4. NTSF permissions are fine
    5. Yes, the same account (makes it easier for us to have many employees log on who do the same thing, less administraton)

    1.  It's in server 2003 functionality mode
    2. Yes, this is what's happening and I don't know how to fix it
    3. I did, didn't find anything of use

    Thanks for the reply
    Tuesday, April 07, 2009 9:31 PM
  • Ok. Lets keep going with the number format.

    1. Admin mode is where you dont configure anything on the server. Its using its default 3 connection limit for remote admin only. Application mode is where you configure it to be a Terminal Server, add CAL's and install applications in a specific way. Which one is it?
    2. Remove the high privilege credentials from GPP. Its unnecessary and a security risk.
    3. Id be very concerned with this configuration. Never run a DC as a Terminal Server.
    4. What about the share level permissions?
    5. Again not a great idea. What happens if you get an employee doing malicious things? How are you going to track down who it is?

    Other ones:
    1. Thats good, the DC's will interoperate without issue.
    2. This is whats meant to happen, theres nothing to "fix"
    3. So when you execute GPUpdate /force on that DC do you see the policy that contains the drive mapping you wanted execute successfully - even if the mapping didnt work correctly, was the policy attempted to be applied?

    Tuesday, April 07, 2009 10:03 PM
  • Hi,

    As Michael explained, it’s not suggested to provide administrator password for normal user access.

    Please remove the "connect as" settings so that users log on their own credentials. You may need to configure the share folder’s permission to get this work. Configure the following permissions:

    Share Permission:

    Administrators: Full Control
    System: Full Control
    Authenticated Users: Full Control

    NTFS Permission:

    Administrators: Full Control
    System: Full Control
    Creator Owner: Full Control
    Authenticated Users: Read & Execute, List Folder Contents, Read

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, April 08, 2009 6:18 AM