GPO -- I created one but doesn't work?

Posted on 2006-04-21
Last Modified: 2008-03-17
I created a GPO called "HighRiskUser", it disables access to add/remove, cmd prompt, etc....

TempUser (fictitious) is a member of GrpHighRisk AND IS ALSO IN OU OuHighRisk.  But when TEMPUSER loggs in XP client, NOTHING HAPPENS?


The following sites, domains, and OUs are linked to this GPO:
GrpRiskUsers   Enforced=Y,Link=Y
mpa.local        Enforced=Y,Link=Y


The settings in this GPO can only apply to the following groups:
GrpHighRisk (mpa\grpHighRisk)

WMI Filtering:
Question by:epicazo

    Author Comment


    The following sites, domains, and OUs are linked to this GPO:
    OuHighRisk   Enforced=Y,Link=Y
    mpa.local        Enforced=Y,Link=Y

    Author Comment

    I am using: SBS Small Business Server 2003
    LVL 74

    Accepted Solution

    Well, all users MUST be in the Default OU:  MyBusiness > Users  > SBSUsers (which you can see from the GPMC).

    Instead of creating a new OU under SBSUsers, the SBS method would be to create a new OU under Security Groups, and then create a Security Group in that OU.  Add any user you want to that, and then have your new GPO linked to that Security Group.

    You also need to make sure that you use the Add-User wizard when creating any new users.  If you want to create a new user that is automatically put into this higher security group, create a new User Template for that purpose.

    LVL 5

    Expert Comment

    Also you could run a gpresult from a command prompt on the machine just to see if that policy is being applied to the user,

    I assume all your settings are in the user section of the policy so you should see that policy being applied under user settings in the gpresult.

    LVL 5

    Expert Comment

    Are the GPO settings under Computer or User?  If it's under computer you have to apply the GPO to computers and not users and vice versa for users.

    Also, you don't need to have enforced enabled.  Enforced just means if there are conflicting GPO entries it'll force the enforced one.

    Oh yeah, make sure that the GPO policy is enforced to Domain Users or whatever security group these users are in.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer:…
    Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now