Acitive directory GP policy issue

we have few PC with the DVD ROM disable . there was a policy for DVD rom disable  in the AD few months back and that policy no longer in the  AD . but this one applied to few users in the AD as following way

PC1 - User1
when the user1 login to the PC1 ,result  - DVD disable
Any other user login to the PC1 , result - DVD working
PC1 local login also DVD working .

User1 login to any other PC , Result -DVD working

tried solution  :  remove the membership from the domain and rejoined with the separate name . result is - NO DVD access

any idea on the above to move on
curAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Helao MwapangashaData Centre: Server EngineerCommented:
with GP you always need to revert the change woth a counter GP.

so if you have a policy that said

dvd - disabled

you need to create and apply one that says

dvd - enabled

these settings have to apply before you can remove the policy or before you can set it to the default settings of not configured.
0
StolsieCommented:
^What he said and don't forget to type command "gpupdate /force"
if you still have the issue we can dig deeper
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You should always run gpupdate /force and probably a good idea to reboot (just to be sure).  You could also run gpresult /h %temp%\gp.htm and then look at the file and see what policies are applied.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Thomas GrassiSystems AdministratorCommented:
Also setup a wmi filter to exclude this computer from the gpo

Once you create the wmi filter apply it to the gpo in question

Then run gpupdate /force

As stated above check by running gpresult /r or rsop
0
curAuthor Commented:
I have done all the above mentioned steps . RSOP not showing any policy from the client end  . but unfortunately that policy in place in the client end
0
curAuthor Commented:
is there any way we can apply the default local security policy to client computer . issue is  one computer dvd not accessible to one user / he can access from other PCs . it seems to ne that pc some id binding with the user I have mentioned . we need to clear that setting or apply the new security template.
0
Thomas GrassiSystems AdministratorCommented:
Are these settings in the default domain policy?  Or do you have a unique gpo setup

Creating a unique gpo would be the best way to do this kind of policy then you can use wmi filters to pick and choose which computers you wish to apply the gpo to

Create a new gpo use wmi filter
0
curAuthor Commented:
separate GPO  in the AD . issue is what ever the policy applied not possible to revert for few users . I hope my issue is address clearly
0
Thomas GrassiSystems AdministratorCommented:
Ok if some computers are not receiving the updated gpo then I would look at the event log to see what is going on

Try gpupdate /force of n computer then check event log
0
curAuthor Commented:
nothing on the event log  . how about the service pack . PC is windows 7 . no service pack
0
StolsieCommented:
Sound like the users profile has got corrupted I would delete and recreate to save time
Or I would:
-log on to the AD server and open my GPO creation tool
-I would then run the group policy molder on any other machine and on the user with the problem. (GPO molder is on the left right at the bottom in the GPO creator window/MMC)
- go through the list and look for the setting that’s causing the issue and the GPO name responsible, if i find nothing but a corrupt setting i would:
- log on the machine where the issue has been seen and elevate the affected user as local administrator.
- The log on as elevated user and edit the register regedit link
- test DVD works
- Logoff then reboot.
- Logon as user test DVD
-logoff, logon as admin remove elevated permission, reboot.
- get log on as user (now normal user) hopefully works.
-- go get a coffee hopefully it now works.
0
curAuthor Commented:
thanks for your information
0
curAuthor Commented:
DO you know the best way to deploy the patch to clients pcs only . servers we do not want to do automatically without testing again application
0
StolsieCommented:
Hi

If the solution works you could deploy it via a startup script with just a ".bat" file or if you have SCCM you should be able to deploy it through that
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.