asked on GPOs conflict in deployment
I built a GPO that turns on the Screen Saver and requires recovery Password.
It's been tested successfully.
Then I built another GPO that blocks USB storage devices.
In both cases, there are some DENY users.
BUT, when I link in the USB GPO, the Screen Saver GPO stops being deployed.
Since they are supposed to be independent, how can that be?
It's been tested successfully.
Then I built another GPO that blocks USB storage devices.
In both cases, there are some DENY users.
BUT, when I link in the USB GPO, the Screen Saver GPO stops being deployed.
Since they are supposed to be independent, how can that be?
Active Directory
Last Comment
hypercube
ASKER
I ran gpresult /scope:user /user [username] /v as these are both User-type GPOs.
I didn't see much of value beyond what gpresult /r gives me) .. not that it isn't valuable guidance! Just not much new information in this one case.
There are 2 GPOs involved:
Screen Saver GPO with attendant Screen Saver Group (of users)
and
USB Deny GPO with attendant USB Deny Group (of users)
If I link only the Screen Saver GPO with the User OU then:
The Screen Saver GPO is Applied.
However, in the list of "The user is a part of the following security groups"
I only see Screen Saver Group and NOT the USB Deny Group listed! That seems odd.
The user *is* a member of both groups!!
Then, if I link both of them, only one is applied.
I didn't see much of value beyond what gpresult /r gives me) .. not that it isn't valuable guidance! Just not much new information in this one case.
There are 2 GPOs involved:
Screen Saver GPO with attendant Screen Saver Group (of users)
and
USB Deny GPO with attendant USB Deny Group (of users)
If I link only the Screen Saver GPO with the User OU then:
The Screen Saver GPO is Applied.
However, in the list of "The user is a part of the following security groups"
I only see Screen Saver Group and NOT the USB Deny Group listed! That seems odd.
The user *is* a member of both groups!!
Then, if I link both of them, only one is applied.
ASKER
I found this;
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/who-broke-my-user-gpos/ba-p/258781
I'm hoping that it will resolve this issue. We'll see!
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/who-broke-my-user-gpos/ba-p/258781
I'm hoping that it will resolve this issue. We'll see!
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hello Fred,
I would suggest to run gpresult and compare which control is getting enabled/disabled from which policy.
From Elevated Command Prompt
gpresult /scope:COMPUTER /V
Logically, one policy should not impact on the other as long as they are used for two different controls.
Cheers !