How to stop Group Policy applying on a laptop and starting Outlook automatically

Posted on 2012-08-28
Last Modified: 2012-09-07
We have an environment that uses a combination of fat and thin clients.   All users have a roaming profile that they use to log into our RDS servers.  Some users also have a fat client, also attached to the domain and on that they log in using the same roaming profile as on the RDS servers.

We have a Group Policy set up that starts Outlook when the users log in to the RDS server.  Lately we've found that on new laptops, when we set them up its also starting to apply the same Group Policy to the laptops as well as the RDS server.   I have a new laptop here today.  I added it to the domain and moved it to the Laptops group in AD, gave domain users Local Admin rights and then logged in as the intended end user for that laptop.  And Outlook loaded.  This isn't meant to happen.  Our users don't use Outlook locally, its only from within the RDS server that they use Outlook.

So somehow something has changed in my Group Policy that now makes this object apply to laptops where it never had before.  And it still doesn't on other laptops and with other users.

So our policies on the DC are set out so that they grouped in 'like' groups.  The policy with Outlook in it is called 'xUsers RDS Logon' and the Setting in question is:
User Configuration>Policies>>Administrative Template>System/Logon>Run these programs at user logon>C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe

Scope:  xUsers (AD container that all users are in) Enforced:No Link Enabled:Yes
xTerminalServers (AD container that all RDS Servers are in) Enforced:No Link Enabled:Yes

Security Filtering: xStaff (Security group for all staff)

Laptops are NOT in xTerminalServers, they're in another container called xLaptops.  Its not nested inside xTerminalServers.  Its on the same level.

I have done GP Modelling for many of the fat client users on their laptops and compared to the new ones and they all seem to have the same settings.  In fact they all show that this GPO applies to them.  But for some reason the new laptops it is actually applying the GPO whereas its not on the others.
All fat clients are Win7 Pro.

What I'm looking for is a way to stop Outlook loading on startup when you log into a laptop (that doesn't involve uninstalling it!).  Outlook must still load when they log into the RDS Server.  And ideally I'd like to fix the GPO so that it filters out anything thats NOT a member of the xTerminalServer group.

Question by:bosshognz
    LVL 47

    Expert Comment

    What if you create a New OU for the Laptops does the policy still get applied?

    If it does, is it possible the policy is being appleid to the logged on User OU, not the Client OU?
    LVL 47

    Expert Comment

    Just another thouhgt here as well

    When Office was installed on the PCs, was an Admin Setup or OCT used?

    Could be possible in the initial install of Office Outlook Setup/Configuration/Behavior was customized

    Author Comment

    I think it is applied to the user not the client - it is a user configuration setting.  But how do I get it to only apply when logging into the xTerminal Servers?
    LVL 8

    Expert Comment

    move RDS user to one OU and the apply policy on that.
    instead of applying all user.

    Author Comment

    Hi piyushranusri,  
    All users are RDS users.  Some of those users are also fat client users.  We want All users to have Outlook load when they're logging into the RDS server, but we want it NOT to load when those users are logging into a fat client.

    Accepted Solution

    Would applying the Loopback setting here solve my issue?  I'm reading this item: and it seems to suggest this is what I should do, as I am trying to impose User Config based on Computers used.

    What effect would it have on the other GPOs I have?  We have a good 20 GPOs - some for users and some for computers for all the different users and and roles who log into our system.  Or would it only affect the one GPO that it is set in?

    Author Closing Comment

    We created a new GPO and applied the Loopback policy to it.  All is good now.

    Other suggestions wouldn't have solved my issue and noone answered my last question about Loopbacks being a viable solution.  We went ahead with it and it was.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now