I have my domain structure something like below.
| -- User GPOs are attached here
|---<Site> (there are few user GPOs attached to the sites also)
| --- <Users Container>
| --- <Special Computers OU>
|---- <Computers OU>
I want to execute a logoff script on special computers when ever a user login to that. I have several computer/user policies configured at domain and site level. I created and linked new GPO(logoff scripts) on Special computers OU with loopback (merge) mode enabled and logoff script configured. But the problem is that, when a user is logging into the special computer, I can see from RSOP that user related policies are getting processed two times. I know the reason for this - in merge mode, when the user is logging in, first all the user policies will get applied and then computer process all the policies to which it has access and has user settings and applies the settings to user(that is what meant by merge mode). Because of this behavior, all the user policies are getting applied twice on special computers. So, I have denied read/apply access to special computers on User GPOs which are at domain and site level. But to my surprise, they are still getting applied though computers are denied to read/apply.
Any one has idea why it is happening like this? I couldn't find any traces of this problem.