Hello. I'm just learning GP myself so sorry if this is completely basic and n00bie. When you stop using a GP setting don't you have to disable the setting to remove it from the computer, rather than setting it to undefined? If so then perhaps you've created a new GP with the lower security restrictions in place but have left the old settings as undefined, and therefore it still has them in place from the previous policy that applied? This wouldn't explain why you saw the policy work as you wished for 5 minutes, but it's the answer that sprang to my simple GP mind (if I'm correct). Andrew From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] Sent: 01 September 2008 21:29 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Puzzler - GP for one OU not being applied Just out of curiosity, can you do the following: Get either the command-line Regview.exe from the 2003 resource kit tools or my GUI PolViewer.exe utility (www.gpoguy.com/polviewer.htm). While logged in as the user who is getting the errant policies, open the file within %userprofile% called ntuser.pol (it might be hidden), from one of the tools above. That file contains an archive of all of the GP registry settings that are applying to the user. See if the errant policy is in that list. If so, you might want to try renaming that file to something else and then doing a gpupdate /force and see if that helps. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com <http://www.gpoguy.com/> -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide <http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glance&n=283155> , the definitive resource for Group Policy information. Group Policy Management, Troubleshooting & Reporting Solutions at: http://www.sdmsoftware.com/products From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Al Bracco Sent: Monday, September 01, 2008 1:13 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Puzzler - GP for one OU not being applied I have previously posted this on Tek-tips = here is the transcript so far. QUESTION: Windows 2003 SP2 server (single DC). Had previously setup an OU and GP for 8 PCs located in stores that needed to be very locked down. Now one of those PCs needs some additional functionality enable. I created a new OU and moved that user account into it. I am using GPM. I created a new policy for that OU with my user configuration changes. It has been linked and enforced. I saw it work once for about 5 minutes after doing a gpupdate. After rebooting the PC, it stopped working. Instead of the new policy being applied, the old policy seems to be enforced. However, the new policy is the only one listed for this OU in GPM. I am not enforcing a domain default policy, either. If I run the Group Policy Results wizard for this computer/user, it shows my new GP0 as being the only one applied. I know the settings in the policy itself are correct. Any ideas on where to look next? Al ------------------------------------------------------------------- HANDLE: gmail2 POSTED ON: Aug 21, 2008 REPLY: that sounds very strange indeed !!! You say that RSoP shows the policy being applied so this should mean that the policies you have on place are being applied .. why so you think thwy're not ?? Can you give us some examples of what you configured that isn't working as expected ? HANDLE: albracco POSTED ON: Aug 22, 2008 REPLY: The store PCS are extremely locked down, so they can't change anything in Windows - just run the retail sql application they need. One example is printers. From the store PCs, they do not have the ability to get to Control Panel at all, never mind do anything with printers. The one PC in question is actually in the warehouse. That PC has 4 printers attached, and he needs the ability to select a printer from various applications. So, we need to unblock most restrictions to do with printers. When it worked for that brief time, the user could see control panel, and the only thing in it was Printers. And, from the various Windows applications, he could select the printer he needed. When the policy is not applied, he is completely locked out of those functions. We have had to keep him logged in as administrator so he can do what he needs. Obviously, we don't want to continue that. It seems like the old policy is still being applied, rather than the new one. Maybe it had something to do with when I moved the user account to the new OU? Perhaps I should try deleting the user account and creating a new one? Al ------------------------------------------------------------------- HANDLE: gmail2 POSTED ON: Aug 30, 2008 REPLY: sorry for the late reply on this. I wouldn't go deleting the account, but you could create a new one in the same environment, same group membership etc, and see if the policies have been applied ok Also, I presume you've already checked, but are there any warnings/errors in eventviewer or RSoP that indicate group policy processing failed? I still can't quiet understand how RSoP could show the settings you want yet they're not being applied. If you want you can use GPMC to save a HTML report of group policy results (RSoP) and list it here, and I'll have a look. Change any company/user names etc on the report as you see fit. Sorry I haven't been able to provide you with a concrete solution, but we don't have to admit defeat just yet !!! HANDLE: Lemon13 POSTED ON: Aug 31, 2008 REPLY: that i understand, the computers are in one ou and the restrictions apply, the u created another ou where u put in a user that weakens the restrictions for him on one of the pc´s in the other ou afik that wont work the restrictions are cumulativ with the most restrictive in place ------------------------------------------------------------------- HANDLE: gmail2 POSTED ON: Aug 31, 2008 REPLY: I don't think that's the case here because logging as admin means the restrictions are not in place. If the restrictions were per machine, it would apply to all accounts, even local ones [link ------------------------------------------------------------------- HANDLE: albracco POSTED ON: Sep 1, 2008 REPLY: yes, the policies are per user, not computer. I don't have a default policy that applies to everyone, just individual policies per OU and no policy for admin. If I log into that computer with a username from the "stores" OU, it applies the correct policies. if I login with the more restricted username, I still get the store policy characteristics, even though that policy is only linked to the stores OU. A real puzzler... -------------------------------------------------------------------