We help IT Professionals succeed at work.

GPOs conflict in deployment

Fred Marshall
on
I built a GPO that turns on the Screen Saver and requires recovery Password.
It's been tested successfully.

Then I built another GPO that blocks USB storage devices.

In both cases, there are some DENY users.

BUT, when I link in the USB GPO, the Screen Saver GPO stops being deployed.

Since they are supposed to be independent, how can that be?
Comment
Watch Question

Shabarinath RamadasanInfrastructure Architect

Commented:

Hello Fred,


I would suggest to run gpresult and compare which control is getting enabled/disabled from which policy.


From Elevated Command Prompt 


gpresult /scope:COMPUTER /V


Logically, one policy should not impact on the other as long as they are used for two different controls.


Cheers !


Author

Commented:
I ran gpresult /scope:user /user [username] /v as these are both User-type GPOs.

I didn't see much of value beyond what gpresult /r gives me) .. not that it isn't valuable guidance!  Just not much new information in this one case.

There are 2 GPOs involved:
Screen Saver GPO with attendant Screen Saver Group (of users)
and
USB Deny GPO with attendant USB Deny Group (of users)

If I link only the Screen Saver GPO with the User OU then:

The Screen Saver GPO is Applied.
However, in the list of "The user is a part of the following security groups"
I only see Screen Saver Group and NOT the USB Deny Group listed!  That seems odd.
The user *is* a member of both groups!!

Then, if I link both of them, only one is applied.

Author

Commented:
I found this;
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/who-broke-my-user-gpos/ba-p/258781
I'm hoping that it will resolve this issue.  We'll see!