Windows Server 2008 R2 Thread, Cross Domain Group Policy - Remote Desktop Session Host in Technical; Hope someone can help.
I am having massive trouble with Group Policy over our system. What we have is two ...
Cross Domain Group Policy - Remote Desktop Session Host
Hope someone can help.
I am having massive trouble with Group Policy over our system. What we have is two domains one (domain a) with the users on with 4 DC's all with replication working and all the "fat" clients and a second (domain b) with all the Remote Desktop Session Host on with there own DC.
We have a cross domain trust from Domain A to Domain B - Which is Transitive, Two way and Forest wide Authenticated. This works as you can get to files from one to the other and log on from one to the other etc which is prefect.
However here comes the issues. The GPO's are not being loaded properly, so the user GPO's from Domain A - and the Computer GPO's from Domain B which should be applied to the Remote Desktop Session Host's when the user log on and just not coming in meaning the students can see all the server settings and change what they like.
We are desperate to resolve this issue but I cannot see why the GPO's are not coming across and do not know where to start really. I have run rsop.msc and the result shows that the GPO on domain B call "Terminal Servers" is being applied but the rules dont work so what the heck is going on I have no ideas.
To accomplish this we actually set the user part settings for the Sessions host in the domain of the Session Host. We went very granular in having a seperate policy of user part and computer part. Apply both policies to the Same OU. In the user party policy configure 1 computer part setting which turns loopback processing on (either merge or replace) Then configure the users settings you want in this policy.
I can think of no technical reason why you'd need 2 policies, so feel free to just have 1 policy that configures the computer and user parts (just make sure loopback is configured).
Then for the scope of the policy we have a universal group, which contains a global group from the user domain, containing the users the settings should apply to when logging onto that particular Session Host.
This means we can have different user part settings for every Session Host if we so wish.
Hope that makes sense - was a nightmare to setup, but fairly quick process for us to follow to create a new Session Host now. - Just to note splitting the Session Hosts into another domain would not be my preferred approach, it was one of those "make this work" scenarios