Here is my situation:
We have a Group Policy applied Domain-Wide (ie applied to our domain in AD Users & Comp). Recently we made changes to it to fix the wallpaper to a specific bmp. It worked a treat - no probs.
What I wanted to do was exclude a group from getting that Group Policy (and therefore that wallpaper change), so I decided to try and exclude me first, then when I worked that out I could exclude particular groups from getting the policy - but something has gone awry! It isn't working! I'm sure it is an easy solution, I am missing something simple... Here is what I did to try and exclude me:
1. Under 'Groups' in AD Users & Computers I created a new group called 'No Group Policy', and added myself to it.
2. Then I right clicked on the 'Groups' Folder (which is a built-in Organisational Unit?) containing the new group (and of course all other groups in our domain) and created a new Group Policy. In this new policy I first tried leaving the default settings (ie 'not configured' for the wallpaper changes), then I tried using the same settings as the domain policy (above it) but changing the actual wallpaper bmp so I could tell which GP was being applied.
3. I then changed the permissions of the policy to allow the 'No Group Policy' group (of which I was a member) 'read' and 'apply group policy' permissions, and removed the 'apply group policy' permission to the Authenticated Users Group (note - after trying it and it not working, I changed this back to default but it still made no difference)
4. Then I ticked 'Block Policy Inheritence'
5. Then I refreshed the GP (start > run > cmd > secedit /refreshpolicy user_policy)
6. Ten I logged off and back on (to my laptop) but still got the domain-wide policy wallpaper...
What am I doing wrong?
From my understanding, the following is true:
- GP's are only applied to Sites, Domains and OU's (Which is why I applied the GP to the 'Groups' folder but only gave the 'No Group Policy' group access to it)
- GP's are applied in that order: Sites > Domains > OU's (which is why I created the new GP in the 'Groups' folder, which is UNDER the Domain GP isn't it? So it should have been applied last...
Is there perhaps an issue that I am a member of multiple groups? I also tried taking the new group ('No Group Policy') out of the equation and just gave myself explicit permissions on the GP but still didn't work.. I also tried explicity denying myself from the DOMAIN level GP, but the lower-level GP still didn't work (it just went back to my old wallpaper)