Group Policy not doing what expected


We're trying to ensure a certain set of computers will never have their monitors go to sleep or have the screen saver kick in.  The set of computers of interest is in its own OU, and we have a new GPO applied to the OU.  The OU does inherit policies from upstream, and there are conflicting policies at a higher level.  But the policies we've applied directly to the OU should override any conflicting inherited policies, right?

The screen saver setting (DISABLED) associated with the new GPO applied to the OU seems to be taking effect, but the power plan we've created and tried to put in place through that same GPO is not taking effect.

Looking at GP Results in the GPMC, what we see are both the inherited GPO (with the wrong power plan settings) and the directly-applied GPO (with the right power plan settings) both successfully applied to the computer/user--with the directly-applied GPO appearing higher in the results.  This gives us the impression those settings should prevail, yet when we get onto the computer, the wrong power policy is always applied.

What are we missing?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Have you checked using RSOP.msc on the client machine as well?

When you open up the RSOP window expand the GPO User or Computer  (where ever it is applied) and see what the settings are listed as.

Another thing i would check is if this setting is set using local policy. Domain policies are suppose to override local policies but i have seen where this has created an issue if the setting was also applied locally.

AmitIT ArchitectCommented:
Check the winning policy. Also make sure, objects are present in correct OU.
StrataDecisionITAuthor Commented:
Hey Will,

Thanks for responding!

We tried RSOP on one of the target machines, but what we're looking for is Computer\Preferences\Control Panel Settings\Power Options, and nothing in terms of Preferences appears there.  Similarly, looking at Local Policy on a machine doesn't show Preferences.

If we run gpresult on one of the target machines, we'll see the same thing we see from GP Results in the GPMC:  Both GPO's applied successfully, and the one we want appears first.  But the settings shown in the second/lower GPO are the ones that end up in effect.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

StrataDecisionITAuthor Commented:

In Group Policy Results in the GPMC, both GPO's say "Successful" and are identified as "Winning GPO."  The one we want to prevail is shown first, followed by the inherited GPO.

AmitIT ArchitectCommented:
certain set of computers ?

Does these moved to single OU?

how you are applying it? Any filtered created?
StrataDecisionITAuthor Commented:
Yes, the computers of interest are in their own OU.

The link from our desired GPO is enabled and enforced on the OU.  

"Security Filtering" shows "Authenticated Users" and nothing else.

I will mention that the GPO has our desired settings associated with both the Computer Configuration and the User Configuration:

Computer Configuration\Preferences\Control Panel Settings\Power Options\Power Plan (Windows Vista) (Name: Pod Computers)\Power Plan (Windows Vista and later) (Order: 1)\Properties

User Configuration\Preferences\Control Panel Settings\Power Options\Power Plan (Windows Vista) (Name: Pod Computers)\Power Plan (Windows Vista and later) (Order: 1)\Properties
AmitIT ArchitectCommented:
Did you enabled loop back processing mode? If not enable it and check it again.
StrataDecisionITAuthor Commented:
We tried loopback processing, with no effect.

AmitIT ArchitectCommented:
Can you move Test user and Test computer object in same OU and then test it again.
StrataDecisionITAuthor Commented:
We resolved this one, but we don't fully understand how we did it...  Per Amit's recommendation, we moved a test computer into a special OU with only the Default Domain policy and the power plan policy we were trying to get in place applied to that OU.  We found that the desired settings--those associated with the power plan policy--did not end up being applied.  We then blocked inheritance, which should have prevented the Default Domain policy from being applied.  Still the desired settings would not take effect...  For the Computer Configuration, "Local Policy" seemed to override the GPO.  For the User Configuration, the Default Domain GPO appeared to be the winning policy, even though it should have been suppressed...  We then moved the test computer back to the original OU where it had been previously, and "magically" the settings started doing what we wanted.  We're really not sure what happened, but are content that it's now working as desired.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StrataDecisionITAuthor Commented:
Amit provided ideas that kept us moving towards resolution, but I don't believe it would be accurate to say he directly provided us with a solution to the problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.