Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy fails to reset local policy settings to "not configured" after they have been set to "enabled" by another GPO.

Posted on 2008-06-23
7
Medium Priority
?
1,921 Views
Last Modified: 2010-05-18
I'm having a problem with Group Policy settings not changing back to "not configured" after they have been set to "enabled" or "disabled" by another GPO.

Most GP settings in my environment are set to not configured, and have been for several years.  Recently, I've experienced "not configured" settings showing up as  disabled or enabled when they should be set to "not configured."   After some trial and error, I realized if a group policy object has set a policy setting to enabled then it will write that setting to the computers local policy.  Then, when a different user logs in (with a different policy object) to the same computer, the settings that were enabled for the last user are not overwritten by not configured, they just stay set to enabled.  If you set the group policy to disabled instead of not configured, the local policy will update correctly.

I'm sure that is very hard to follow, so I will try to provide a clear example of what I am talking about:

The standard user group policy has Deny access to control panel set to enabled.  A standard user logs in to the machine, so GP changes the local computer policy setting Deny access to control panel to enabled.  The standard user logs off, and an administrator logs on.  The Deny access to control panel setting on the OU containing the administrators account is set to not configured.  GP changes the local computer policy setting to reflect the administrator account, but the settings that were set to enabled are not set back to not configured.  The administrator cannot get to control panel, and when you check the local computers policy settings you see that Deny access to control panel is still set to enabled even though it should be set to not configured. 

Has anyone experienced this?  Perhaps it's some sort of "feature" that I can't find documentation on?  Thanks in advance.

0
Comment
Question by:usom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21849081
Have you checked the inheritance and enforcement settings for the policies? If the policy that applies to the Administrator is not set to "Enforce" and/or has inheritance blocked, and if the policy that applies to regular users is applied at a higher level (i.e., the domain or a parent OU), then the administrative policies will not override the regular policies.  That appears to be what is happening in your explanation.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21849088
That is, if it *doesn't* have inheritance blocked...
0
 

Author Comment

by:usom
ID: 21855881
No, it's not inheritance or enforcement settings, but thanks for your reply.  If the settings in the administrator's OU are "disabled" then that setting will overwrite the "enabled" setting, the problem is that a "not configured" setting will not overwrite "disabled" or "enabled."
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21856401
I get it - sorry I was probably a bit confused by your explanation ;-) That is normal behavior.  A "not configured" setting leaves whatever reg entry is affected in the same state it was before the policy was applied. So, as you described, if the setting was "not configured" before, the admin logon will change it; if it was "disabled" or "enabled" and the admin setting is "not configured," then nothing will happen.  This does make it very tricky when you have different users logging on with different group policies.  So, if you have something set to "disabled" for the users, you have to set the admin group policy to "enable" that same setting, and then set whatever options there are for that setting to the way you want it to behave for the admin.  For example, I have a group policy at one of my clients that hides the Connections tab in the IE options dialog box for regular users.  In the admin group policy I had to set that policy to "enable" and set the connections tab to be visible in order for admins to be able to see it.
0
 

Author Comment

by:usom
ID: 21856475
Yes I'm sorry the wording was confusing.  Thanks for the reply again.  How long has this been "normal behavior?"  I haven't actually changed any of the policies on the domain in question since 2006, and I hadn't had a problem with it up until now.  Strange...
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 1000 total points
ID: 21857328
Hmmm, that is strange.  Of course, something I forgot to mention is that it depends on what the policy is.  Most if not all of policies in the user container affect only the user's .dat file (HKCU hive in the registry), so they wouldn't be affected by the "not configured" issue.  If the policies you're talking about are in the user container, then maybe there is something else going on.
0
 

Author Comment

by:usom
ID: 22371750
The issue has been fixed
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question