User stuck with the wrong group policy enforced...

One of our clients has several different sets of GPOs based on specific users and the the PCs they log in on.   For instance, if they log in using a terminal server, their session is severely locked down, whereas if they log on to a desktop or laptop, its more lax.

One of the users used the terminal server the other night to work from home.  Upon returning to the office, she logged into her PC and still had the terminal server GPO applied to her user name.   We can't run GPUPDATE because of the security lock down... we can't even right click on My Computer to get to properties, see the C drive or even map a drive.

I created a test user with identical settings as the user and that account could log into her desktop with no issues at all.  She logged into a different computer and had the same lock down, which says to me that something is up with the account.

I checked the Term Server and there were no active or disconnected sessions from her.  I tried GPUDATE as the test user, but as expected it didn't do anything.

Anyone have any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would double check the gpo settings sounds like somebody made a change, the terminal gpo should not have been applied to the desktop,by the sounds of the set up.  A gpupdate wont work at this time but a log off , or a hard shutdown and a log on should force the new policy settings.
have you tried gpupdate /sync?
FrontlineTechAuthor Commented:
Efren - I tried it logged in as another user to that machine.  This was a TEST user account I logged in with that was an identical copy of the user's account.    That user had the proper GPO applied and we could do anything.  Unfortunately it did not work.   Worse off I CANNOT run gpudate when she is logged in because of the restrictions in place.

DaWilliams - No one else logging into the computer is having the same issue and no one else on the domain is having the issue, so I don't think it was a GPO change or more people would be affected.  As I stated in the description, her account faces this regardless of which PC she logs into...  We tried hard reboots, but its not the DEVICE GPO but the USER GPO that seems to be the issue.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

well you can always try exclude that test user from the gpo and then run a gpupdate /sync  , is the gpupdate blocked at the local machine level or via a gpo?
FrontlineTechAuthor Commented:
Efren - The test user WORKS FINE.  Everyother user on that machine and in the domain works fine.  It is JUST her username.  I ran GPUDATE /sync under the test user.... this will not fix the issue because it won't update the GP for the problem user.  

GPUPDATE is not blocked, but rather running any kind of command line is UNDER THE PROBLEM USER.    The particular GPO that is sticking with the user is locking down everything.  I can't right click, I can't open a command line, I can't use the RUN command, I can't see the C drive.  EVERYTHING is locked down.  I tried running GPUPDATE using a batch file and it too was restricted.

For some reason, the Term Servers GPO that applies to users when they log into a Term Server is staying applied to her User account even though she is not logged into a term server and is instead logged into her laptop.    I need to find a way to force a GPUPDATE for her USERNAME, but can't find a way to do it.  I can't connect to the PC using PSEXEC nor through the GPO wizard.
hmm have you ran gpupdate /force on the servers? i remembered you said shes blocked on anyother pc so it might be stuck on the server itself
FrontlineTechAuthor Commented:
Efren - I will try it, but my understanding of GPUDATE is that it will only update the specific user and the specific PC.... which means her USER name is still not updated.    Trying it now and no change.  
yea but wanted to give it a shot, hmm let me think
can you exclude her from the gpo of the terminal ?
Maybe you could change the terminal gpo settings on the domain, temporarily, and then run GPUDATE, then change the permissions back to how they were.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FrontlineTechAuthor Commented:

Its funny that you say that because that occurred to me as well yesterday afternoon.   I am waiting to hear back from her.  Will keep you posted.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.