Group Policy on SBS 2008 - how to remove one feature for one User.

try this

http://help.wugnet.com/windows2/Copy-Group-Policy-OU-ftopict517788.html

Its difficult to advise on this with out knowing the reason for blocking 1 user. I wouldn't block inheritance for a start. Your much better controlling what policies are applied to users through group membership, so i would do the following

Create 2 Groups (GP Active Desktop ENA, GP Active Desktop DIS)
Create 2 Group Policies (GP Active Desktop ENA, GP Active Desktop DIS)
Set original Group Policy Active Desktop to not defined

Thanks for the replies, I had already tried linking the GPO to the new OU but when I change this setting in the linked GPO, it changes the setting globally. It tells me this will be the case when I select the linked GPO. Any ideas?

Also, I already have an OU for all SBS Users and i just want to specialize one user (Active Desktop crashes their system immediately when turned on by the GP). so I don't want to create a new OU and put everyone bar one in it, if I can help it.

Thanks

You say you have this set under Windows SBS User Policy, but I want to verify that this is indeed a user policy setting and not a computer policy one.  What's the path to the policy setting?

Assuming it is a user policy, a couple ways you can go:
1) If you want to use a new OU.  Of course if you change a GPO it will apply to everywhere the GPO is linked.  If you want it to be different, copy the GPO, change the setting in the copy, and apply it to the new OU.
2) You could also go the route jrgcomputing suggested, but a simpler method would be to leave the current GPO alone and leave the users in the OU as is, create a new GPO with the Active Desktop setting disabled, and set it apply only to the specific user in the security filtering.  Now link the GPO to the SBSUsers OU, and set the precedence (link order) so that this GPO is applied last, thereby overwriting the previous GP setting which enabled Active Desktop.

Thanks for the reply. It is definitely a user policy setting as it's path is User Configuration\Policies\Administrative Templates\Desktop\Desktop.

I have copied the GPO and changed this setting in it and I will try your suggestion of applying the GPO last, I assume you mean that this overwrites those applied previously and so this makes the fact the other GPOs are enforced irrelevant?

Correct.  However, a clarification note, I wouldn't use the term "enforced" as this means something special to GPOs; better would be "applied".  As the only setting you want to change is for Active Desktop, that is the only setting that I would include in the new GPO.

Thanks, so now I have the new OU which has the one User in it. It inherits ten policies. My 'No Active Desktop' GPO is No. 4 in the list of inherited policies but I need to make it No. 10? I don't see how to edit it's Precedence. How is this done?

Looks like you're combining instructions from a couple different options.  Is this new OU a child of the SBSUsers OU?  If so, it should already be applied last.  Changing the link order only comes in handy when you have multiple GPOs applying to the same OU.

With the OU selected, look at the "Linked Group Policy Objects" tab.  There are arrows that let you change the order.  And no, you need to make it number 1 (actually it just needs to be lower than the GPO with the setting you want to overwrite, but nothing is lower than 1).

Okay, thanks. I will give it a try and let you know how I get on.

The 'No Active desktop' OU is a child of the SBS USers OU. There is only one linked GPO under 'Linked Group Policy Objects' and that is the 'No Active desktop' GPO. On the 'Group Policy Inheritance' tab there are 10 GPOs. The 'No AD' policy is number 4 and there are three above it whose precedence is 'enforced'. One of which is the original 'SBS USers Policy'  Does this not mean that the 'No AD' GPO will be overridden by the original SBS Users policy and so the fact that I have turned off this setting in the new GPO is irrelevant?

As it stands right now, yes.  You need to "no AD" policy to a lower number than the other.  You can try setting it to enforced as well to see if that will get it a higher precedence (lower number).  Right now I'm wondering why the "SBS Users Policy" is set to enforced.

It seems the issue then is how to change the precedence of inherited GPOs that are set to 'enforced'. If I make the 'No Active Desktop' GPO enforced, it is still with a lower precedence than the SBS USers Policy. Any suggestions anyone?

Following on from my previous post, is it not the case that the 'SBS Users Policy' needs to be enforced? If I uncheck the 'Enforced' option from this GPO it disappears from the Inherited GPOs on the SBS Users OU.

Tomorrow I should have access to an SBS08 server so I can see what it is by default.  However, in my experience, no GPOs are set to Enforced by default.  When you turn Enforced off it is not inherited only because you created an OU and blocked inheritance.  Enforced overrides the "block inheritance" setting.  I would think that the "SBS Users Policy" GPO doesn't need to be set to Enforced, but like I said, let me get back to you after I see what the default is on an SBS 08 machine.

Thanks footech!

Thanks, I will try that but it will be on Monday, let you know what happens then.

Okay, here is what I did:-

1) I made 'Enable Active Desktop' not configured in the SBS Users Policy.
2) I made a new GPO with this setting enabled and linked it to the SBS Users OU.
3) I created a new GPO with this settimg 'Disabled' and linked it to the 'No Active Desktop' OU.
4) I moved the user in to this OU.

Now 'Active Desktop off' has a higher precedence than the 'Active Desktop On' GPO in the inheritance of the 'No Active Desktop' OU. I am now waiting to see what the outcome is at next logon. I will get back to you soon.

Sounds good.

Sorry for the delay in responding but It took to today for the EU to update me on whether this was resolved. The answer is that this is still the same. Any more ideas?

Can you a run the GP Results Wizard for this user and see if the setting is being applied?  It will tell you the setting and which GPO applied it.

I ran the wizard. Under 'Applied GPOs' the 'Active Desktop On' GPO is listed but it is at a lower precedence than it is when you view GPO Inheritance from OU properties. In OU properties it is listed at position 4 and the 'Active Desktop On' GPO in listed at 6. However, running the wizard under 'Applied GPOs' it is listed 4th with 'Active Desktop On' listed 2nd.

Presumably this is why it is not applied but I can't see why there is a difference between the GPO Inheritance and the Wizard results?

I think the results wizard displays the GPOs in the order they are applied.  So the one at the bottom would be the last one.  But a better check is if you look at the Settings tab for the results, you should see the setting and which GPO it was applied from.

Are you using the "Enable Active Desktop" setting, or the "Disable Active Desktop" setting?

Sorry for the long wait for a reply but the end user was on holiday until yesterday. I asked her to report back on what had happened with this on her return and she now says that the Active Desktop error has gone. I don't know how this happened and the settings in GPMC are still the same but it appears to have worked so I am going to accept your solution Footech. Thanks very much for all your help and well done!

Good solution, well done. Very helpful member.

Excellent!  Glad you got it working.