We help IT Professionals succeed at work.

GPOs conflict in deployment

Fred Marshall
I built a GPO that turns on the Screen Saver and requires recovery Password.
It's been tested successfully.

Then I built another GPO that blocks USB storage devices.

In both cases, there are some DENY users.

BUT, when I link in the USB GPO, the Screen Saver GPO stops being deployed.

Since they are supposed to be independent, how can that be?
Watch Question

Shabarinath RamadasanInfrastructure Architect


Hello Fred,

I would suggest to run gpresult and compare which control is getting enabled/disabled from which policy.

From Elevated Command Prompt 

gpresult /scope:COMPUTER /V

Logically, one policy should not impact on the other as long as they are used for two different controls.

Cheers !


I ran gpresult /scope:user /user [username] /v as these are both User-type GPOs.

I didn't see much of value beyond what gpresult /r gives me) .. not that it isn't valuable guidance!  Just not much new information in this one case.

There are 2 GPOs involved:
Screen Saver GPO with attendant Screen Saver Group (of users)
USB Deny GPO with attendant USB Deny Group (of users)

If I link only the Screen Saver GPO with the User OU then:

The Screen Saver GPO is Applied.
However, in the list of "The user is a part of the following security groups"
I only see Screen Saver Group and NOT the USB Deny Group listed!  That seems odd.
The user *is* a member of both groups!!

Then, if I link both of them, only one is applied.


I found this;
I'm hoping that it will resolve this issue.  We'll see!