GPO -- I created one but doesn't work?

I created a GPO called "HighRiskUser", it disables access to add/remove, cmd prompt, etc....

TempUser (fictitious) is a member of GrpHighRisk AND IS ALSO IN OU OuHighRisk.  But when TEMPUSER loggs in XP client, NOTHING HAPPENS?


The following sites, domains, and OUs are linked to this GPO:
GrpRiskUsers   Enforced=Y,Link=Y
mpa.local        Enforced=Y,Link=Y


The settings in this GPO can only apply to the following groups:
GrpHighRisk (mpa\grpHighRisk)

WMI Filtering:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

epicazoAuthor Commented:

The following sites, domains, and OUs are linked to this GPO:
OuHighRisk   Enforced=Y,Link=Y
mpa.local        Enforced=Y,Link=Y
epicazoAuthor Commented:
I am using: SBS Small Business Server 2003
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, all users MUST be in the Default OU:  MyBusiness > Users  > SBSUsers (which you can see from the GPMC).

Instead of creating a new OU under SBSUsers, the SBS method would be to create a new OU under Security Groups, and then create a Security Group in that OU.  Add any user you want to that, and then have your new GPO linked to that Security Group.

You also need to make sure that you use the Add-User wizard when creating any new users.  If you want to create a new user that is automatically put into this higher security group, create a new User Template for that purpose.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Also you could run a gpresult from a command prompt on the machine just to see if that policy is being applied to the user,

I assume all your settings are in the user section of the policy so you should see that policy being applied under user settings in the gpresult.

Are the GPO settings under Computer or User?  If it's under computer you have to apply the GPO to computers and not users and vice versa for users.

Also, you don't need to have enforced enabled.  Enforced just means if there are conflicting GPO entries it'll force the enforced one.

Oh yeah, make sure that the GPO policy is enforced to Domain Users or whatever security group these users are in.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.