Posted by on October 15, 2013

I use Group Policy Objects to manage the local Administrators groups in various departments/Organizational Unites in my Active Directory domain. I recently encountered a problem in which the policy was not applying to the computers in a single OU. I verified that the settings in the GPO were correct and that “Authenticated Users” had “apply” permission. I removed the entries from “Local Users and Groups” under Computer Configuration\Preferences\Control Panel Settings and recreated them. I changed the Action of the group setting to Replace instead of Update. I tried enforcing the GPO. Unfortunately, none of these steps made any difference.  The workstation event logs and “gpresult /r /scope:computer” said that the policy was applying correctly, except that it obviously wasn’t.

The fix: I deleted the entire GPO and created a new one from a template. Something must have been corrupt in the NTFS permissions or some other attribute of the original GPO, because creating a new policy fixed the problem immediately.


Be the first to comment.

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>