Group Policy or Something Else?

Posted on 2011-09-23
Medium Priority
Last Modified: 2012-05-12
Hello everyone,

I have been scratching my head on this one for a few days now. I have a group of users in an OU in Active Directory. They have many icons on their desktop that shouldn't be there. As part of the policy (they are Middle School Students) they aren't allowed to right click on the desktop, modify the desktop, printers etc etc within a few GPO's that are assigned to that OU. I have no clue why these icons (some are other user's documents) are there. Once I pull the user out of the OU and into the default users container AD has by default, I can modify and delete the desktop as I should. I can restart and the icons do not reappear. But as soon as I move any user into that OU in question. The icons appear again.

I have looked through the GPO settings to show what each GPO (there are three two in the root and one inherited) has for settings and I do not see anything that would create this behavior.

So now to my question,

Is there anything other than a GPO that could do this? Keep in mind that the user is not using a roaming profile and when moved out of the OU's the icons still appear until they are deleted. Or, is there a way to look at what is being applied to computer when logged in or as the computer is starting up?

My infrastructure Background:

I have a Windows Active Directory Domain with Windows 7 and XP clients. The servers are mixed 2003R2 and 2008R2 Standard. In this instance I am working on a 2008 server and a client machine with Windows 7.

I'd be more than happy to give you anymore info that's needed.

Thank You for any help!
Question by:WindhamSD
LVL 13

Accepted Solution

BCipollone earned 1000 total points
ID: 36588966
I believe you are using this: http://community.spiceworks.com/how_to/show/989

You need to check the location that the Group Policy is pointing to and make sure those items are not on the shared desktop.  The only other way this could be happening is if there is something in the login script that is loading them from a location.
LVL 11

Assisted Solution

Ackles earned 1000 total points
ID: 36592098
My approach would be very simple:

Take RSOP of the machine once when it's in the OU & secondly when it's in default container. This way Group Policy will be clearer, however since GP Preferences are not picked up in RSOP, but that shouldn't be your concern since you mentioned that you can't delete the icons. GP Preferences do allow you to modify the change, but since you can't delete it can't be Preferences.

Once you have done this, check if there is anything enforced on the top level. This also depends because the OU where you are putting the students is in a different OU & something is enforced from the top OU but not from the Domain level. If it was being enforced from Domain OU then even putting it in default container would effect.

This will give you a clearer picture. Please post the result & we can take it from there.


Author Comment

ID: 36985798
The problem was that someone modified the Deafult Domain Policy. I had to remove what was added. Thank You for all of your help.


Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

As the cloud has become an integral part of enterprises’ workflow worldwide, there is an increasing demand for cloud managed service providers that can bring the expertise to the process and help enterprises maximize their investment in the cloud.
Are you looking to start a business? Do you own and operate a small company? If so, here are some courses you need to take before you hire a full-time IT staff.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question