Group Policy fails to reset local policy settings to "not configured" after they have been set to "enabled" by another GPO.
Posted on 2008-06-23
I'm having a problem with Group Policy settings not changing back to "not configured" after they have been set to "enabled" or "disabled" by another GPO.
Most GP settings in my environment are set to not configured, and have been for several years. Recently, I've experienced "not configured" settings showing up as disabled or enabled when they should be set to "not configured." After some trial and error, I realized if a group policy object has set a policy setting to enabled then it will write that setting to the computers local policy. Then, when a different user logs in (with a different policy object) to the same computer, the settings that were enabled for the last user are not overwritten by not configured, they just stay set to enabled. If you set the group policy to disabled instead of not configured, the local policy will update correctly.
I'm sure that is very hard to follow, so I will try to provide a clear example of what I am talking about:
The standard user group policy has Deny access to control panel set to enabled. A standard user logs in to the machine, so GP changes the local computer policy setting Deny access to control panel to enabled. The standard user logs off, and an administrator logs on. The Deny access to control panel setting on the OU containing the administrators account is set to not configured. GP changes the local computer policy setting to reflect the administrator account, but the settings that were set to enabled are not set back to not configured. The administrator cannot get to control panel, and when you check the local computers policy settings you see that Deny access to control panel is still set to enabled even though it should be set to not configured.
Has anyone experienced this? Perhaps it's some sort of "feature" that I can't find documentation on? Thanks in advance.