I have a application mode W2K terminal server that people use to access an application. As an administrator, I need to access more stuff on it than the application, so we use either a direct console login or a DameWare session. I have recently created some new admin accounts as I work to reducing the rights on all domain administrators' normal accounts. I found that when I log in to the console as a newly created account, I get a locked down desktop, even as an admin on that server and/or a domain admin. If I use an old account even if it's a user-level account, I get a normal desktop.
We have two GPs that affect the OU the server is in (aside from the default domain policy). One is a TermSrv lockdown which prohibits pretty much anything except the LOB app that needs to run. The other is a administrator access policy that allows full access for users in the domain admins group. I've determined that the TermSrv lockdown policy is being applied to the new accounts, even if I disable it, thus causing my problem. In my troubleshooting efforts, I've cranked up userenv logging, and get the following in my log: USERENV(e8.8338) 17:04:15:113 ProcessGPOs: Processing extension Registry USERENV(e8.8338) 17:04:15:113 CheckForGPOsToRemove: GPO <TermServer Lockdown> needs to be removed USERENV(e8.8338) 17:04:15:113 GetDeletedGPOList: Finished. I can't find anything that references the "CheckForGPOsToRemove" line, so I don't know what it's trying to do or if it's failing. I've run secedit/refreshpolicy machine/user_policy /enforce with no effect. I am considering a reboot to see if it will fix the issue. Anyone know what the "CheckForGPOsToRemove" section means? Thanks! ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
