alsace
asked on
Group Policy Not getting aplied
Hi All,
Here is my situation:
We have a Group Policy applied Domain-Wide (ie applied to our domain in AD Users & Comp). Recently we made changes to it to fix the wallpaper to a specific bmp. It worked a treat - no probs.
What I wanted to do was exclude a group from getting that Group Policy (and therefore that wallpaper change), so I decided to try and exclude me first, then when I worked that out I could exclude particular groups from getting the policy - but something has gone awry! It isn't working! I'm sure it is an easy solution, I am missing something simple... Here is what I did to try and exclude me:
1. Under 'Groups' in AD Users & Computers I created a new group called 'No Group Policy', and added myself to it.
2. Then I right clicked on the 'Groups' Folder (which is a built-in Organisational Unit?) containing the new group (and of course all other groups in our domain) and created a new Group Policy. In this new policy I first tried leaving the default settings (ie 'not configured' for the wallpaper changes), then I tried using the same settings as the domain policy (above it) but changing the actual wallpaper bmp so I could tell which GP was being applied.
3. I then changed the permissions of the policy to allow the 'No Group Policy' group (of which I was a member) 'read' and 'apply group policy' permissions, and removed the 'apply group policy' permission to the Authenticated Users Group (note - after trying it and it not working, I changed this back to default but it still made no difference)
4. Then I ticked 'Block Policy Inheritence'
5. Then I refreshed the GP (start > run > cmd > secedit /refreshpolicy user_policy)
6. Ten I logged off and back on (to my laptop) but still got the domain-wide policy wallpaper...
What am I doing wrong?
From my understanding, the following is true:
- GP's are only applied to Sites, Domains and OU's (Which is why I applied the GP to the 'Groups' folder but only gave the 'No Group Policy' group access to it)
- GP's are applied in that order: Sites > Domains > OU's (which is why I created the new GP in the 'Groups' folder, which is UNDER the Domain GP isn't it? So it should have been applied last...
Is there perhaps an issue that I am a member of multiple groups? I also tried taking the new group ('No Group Policy') out of the equation and just gave myself explicit permissions on the GP but still didn't work.. I also tried explicity denying myself from the DOMAIN level GP, but the lower-level GP still didn't work (it just went back to my old wallpaper)
...?
Here is my situation:
We have a Group Policy applied Domain-Wide (ie applied to our domain in AD Users & Comp). Recently we made changes to it to fix the wallpaper to a specific bmp. It worked a treat - no probs.
What I wanted to do was exclude a group from getting that Group Policy (and therefore that wallpaper change), so I decided to try and exclude me first, then when I worked that out I could exclude particular groups from getting the policy - but something has gone awry! It isn't working! I'm sure it is an easy solution, I am missing something simple... Here is what I did to try and exclude me:
1. Under 'Groups' in AD Users & Computers I created a new group called 'No Group Policy', and added myself to it.
2. Then I right clicked on the 'Groups' Folder (which is a built-in Organisational Unit?) containing the new group (and of course all other groups in our domain) and created a new Group Policy. In this new policy I first tried leaving the default settings (ie 'not configured' for the wallpaper changes), then I tried using the same settings as the domain policy (above it) but changing the actual wallpaper bmp so I could tell which GP was being applied.
3. I then changed the permissions of the policy to allow the 'No Group Policy' group (of which I was a member) 'read' and 'apply group policy' permissions, and removed the 'apply group policy' permission to the Authenticated Users Group (note - after trying it and it not working, I changed this back to default but it still made no difference)
4. Then I ticked 'Block Policy Inheritence'
5. Then I refreshed the GP (start > run > cmd > secedit /refreshpolicy user_policy)
6. Ten I logged off and back on (to my laptop) but still got the domain-wide policy wallpaper...
What am I doing wrong?
From my understanding, the following is true:
- GP's are only applied to Sites, Domains and OU's (Which is why I applied the GP to the 'Groups' folder but only gave the 'No Group Policy' group access to it)
- GP's are applied in that order: Sites > Domains > OU's (which is why I created the new GP in the 'Groups' folder, which is UNDER the Domain GP isn't it? So it should have been applied last...
Is there perhaps an issue that I am a member of multiple groups? I also tried taking the new group ('No Group Policy') out of the equation and just gave myself explicit permissions on the GP but still didn't work.. I also tried explicity denying myself from the DOMAIN level GP, but the lower-level GP still didn't work (it just went back to my old wallpaper)
...?
Are you sure the domain wide policy has not been applied to the OU container also???
ASKER
Yeah it is being applied (because I am getting the standard wallpaper specified in the domain-wide GP), but I thought if I created a GP on that new OU it would override the domain-wide policy because (a) it was more specific (GP's are applied on the site, then the domain, then any OU's - in that order) and (b) I ticked the 'no-override' option in the new GP (which I thought was supposed to force it's application...)
Alsace.
Alsace.
Enable loopback processing on the new GP. Because the users are not in a branch of the tree that the GP is attached to, the GP will not be applied to the users.
Loopback is enabled in Computer Configuration, Admin Templates, System, Group Policy.
Loopback is enabled in Computer Configuration, Admin Templates, System, Group Policy.
ASKER
Hi harleyjd, thanks for the suggestion - but I wanted to avoid computer policies if I could and wanted to make it a user policy - a lot easier. Also the users are in a branch that the GP applies, as I have set the new GP on the Groups container...
I have found a solution - I just gave the 'no group policy' group (of which I am a member) explicit 'deny' access to the default domain policy - so it wasn't applied.
It works, but I still can't see why the original one didn't apply...
Thanks all for your help.
I have found a solution - I just gave the 'no group policy' group (of which I am a member) explicit 'deny' access to the default domain policy - so it wasn't applied.
It works, but I still can't see why the original one didn't apply...
Thanks all for your help.
PAQ/Refund
ASKER
Yeah I am happy for a PAQ/Refund, do I need to formally request it in another thread?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.