Acitive directory GP policy issue

we have few PC with the DVD ROM disable . there was a policy for DVD rom disable  in the AD few months back and that policy no longer in the  AD . but this one applied to few users in the AD as following way

PC1 - User1
when the user1 login to the PC1 ,result  - DVD disable
Any other user login to the PC1 , result - DVD working
PC1 local login also DVD working .

User1 login to any other PC , Result -DVD working

tried solution  :  remove the membership from the domain and rejoined with the separate name . result is - NO DVD access

any idea on the above to move on
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Helao MwapangashaData Centre: Server EngineerCommented:
with GP you always need to revert the change woth a counter GP.

so if you have a policy that said

dvd - disabled

you need to create and apply one that says

dvd - enabled

these settings have to apply before you can remove the policy or before you can set it to the default settings of not configured.
^What he said and don't forget to type command "gpupdate /force"
if you still have the issue we can dig deeper
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You should always run gpupdate /force and probably a good idea to reboot (just to be sure).  You could also run gpresult /h %temp%\gp.htm and then look at the file and see what policies are applied.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Thomas GrassiSystems AdministratorCommented:
Also setup a wmi filter to exclude this computer from the gpo

Once you create the wmi filter apply it to the gpo in question

Then run gpupdate /force

As stated above check by running gpresult /r or rsop
curAuthor Commented:
I have done all the above mentioned steps . RSOP not showing any policy from the client end  . but unfortunately that policy in place in the client end
curAuthor Commented:
is there any way we can apply the default local security policy to client computer . issue is  one computer dvd not accessible to one user / he can access from other PCs . it seems to ne that pc some id binding with the user I have mentioned . we need to clear that setting or apply the new security template.
Thomas GrassiSystems AdministratorCommented:
Are these settings in the default domain policy?  Or do you have a unique gpo setup

Creating a unique gpo would be the best way to do this kind of policy then you can use wmi filters to pick and choose which computers you wish to apply the gpo to

Create a new gpo use wmi filter
curAuthor Commented:
separate GPO  in the AD . issue is what ever the policy applied not possible to revert for few users . I hope my issue is address clearly
Thomas GrassiSystems AdministratorCommented:
Ok if some computers are not receiving the updated gpo then I would look at the event log to see what is going on

Try gpupdate /force of n computer then check event log
curAuthor Commented:
nothing on the event log  . how about the service pack . PC is windows 7 . no service pack
Sound like the users profile has got corrupted I would delete and recreate to save time
Or I would:
-log on to the AD server and open my GPO creation tool
-I would then run the group policy molder on any other machine and on the user with the problem. (GPO molder is on the left right at the bottom in the GPO creator window/MMC)
- go through the list and look for the setting that’s causing the issue and the GPO name responsible, if i find nothing but a corrupt setting i would:
- log on the machine where the issue has been seen and elevate the affected user as local administrator.
- The log on as elevated user and edit the register regedit link
- test DVD works
- Logoff then reboot.
- Logon as user test DVD
-logoff, logon as admin remove elevated permission, reboot.
- get log on as user (now normal user) hopefully works.
-- go get a coffee hopefully it now works.
curAuthor Commented:
thanks for your information
curAuthor Commented:
DO you know the best way to deploy the patch to clients pcs only . servers we do not want to do automatically without testing again application

If the solution works you could deploy it via a startup script with just a ".bat" file or if you have SCCM you should be able to deploy it through that

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.