none
Computer and user gpo conflict

    Question

  • I'm trying to deploy group policies for users and computers. In the computer OUs I have created computer policies for shortcut deployment and I have added the computers to the corresponding OUs. I have also created the policies for users. The problem is that the shortcuts are not loaded. The policies for computer shortcuts are filtered. I configured the loop back for merge on the computer policy, but did not work. The user policies are applying fine, it is just the computer policies. I hope anyone can help me.
    Wednesday, May 13, 2015 4:35 PM

All replies

  • Hi

     On GPMC ->OU where the computers in->expand see the GPO's and select ->on Details tab ->GPO status configure it "User configuration settings disable"

    Or

    Right-Click OU and select "Block Inheritance".

    • Marked as answer by EMURRAY01 Wednesday, May 13, 2015 8:42 PM
    • Unmarked as answer by EMURRAY01 Monday, May 25, 2015 1:08 AM
    Wednesday, May 13, 2015 5:12 PM
  • Hi

     On GPMC ->OU where the computers in->expand see the GPO's and select ->on Details tab ->GPO status configure it "User configuration settings disable"

    Or

    Right-Click OU and select "Block Inheritance".

    This mean I don't need loopback configuration right?

    Wednesday, May 13, 2015 7:53 PM
  • right.
    Wednesday, May 13, 2015 9:31 PM
  • Hi

     On GPMC ->OU where the computers in->expand see the GPO's and select ->on Details tab ->GPO status configure it "User configuration settings disable"

    Or

    Right-Click OU and select "Block Inheritance".

    Sorry for the late post, but this did not solve my problem.  It blocked the user policy from the user OU from loading, It did not blocked the user part of the computer policy in the computer OU. I need to be able to apply both policies, from different OU in the same computer. One been the computer OU where the computer resides and the other the user department OU where the user belongs. 
    Monday, May 25, 2015 1:11 AM
  • Hi,

    Would you please help to run a gpresult / r to check which policies are applied and it would be much better to  provide us the RSOP report.

    You can log in the computer open the Command Prompt and type  gpresult/ h rsop.html and then you can got the report under your system drive.

    Go to the system drive-> Users folder-> find the currently logged user account folder-> rsop.html

    With this report we may have a clear look about Gpo confiuration.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 25, 2015 6:24 AM
    Moderator
  • Hi

     OK,you should configure loopback processing.

    Please check on these articles;

    Regarding the first link example :

    When a user belonging to OU-SUPPORT logs on a server that belongs to the OU-TSSERVER, what happens?

    Applies:

    • Computer Configuration -> The configuration created in GPO linked to OU-TSSERVER.
    • User Configuration -> The configuration created in GPO linked to OU-SUPPORT.

    This is the default setting. 

    This is exactly what I want to happen, the normal settings that should apply. In my case I only see User Configuration linked to the UO-SUPPORT but don't see the Computer Configuration from the GPO create and linked to OU-TSSERVER. So I'm not sure loopback processing will help. 

    Monday, May 25, 2015 4:50 PM
  • Group Policy Results
    Tes\user
    Data collected on: 5/23/2015 11:58:41 AM
    Summary
    Computer Configuration Summary
    No data available.
    User Configuration Summary
    General
    User name TEST\user
    Domain TEST.local
    Last time Group Policy was processed 5/23/2015 11:55:56 AM
    Group Policy Objects
    Applied GPOs
    Name Link Location Revision
    Billers TEST.local/Clinica de Salud Familiar/Users/ Billers AD (357), Sysvol (357)
    User Folder Redirection TEST.local/Clinica de Salud Familiar/Users/Billers AD (20), Sysvol (20)
    Denied GPOs
    Name Link Location Reason Denied
    Local Group Policy Local Empty
    Default Domain Policy TEST.local Empty
    Security Group Membership when Group Policy was applied
    TEST\Domain Users
    Everyone
    BUILTIN\Users
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    TEST\Billers
    Mandatory Label\Medium Mandatory Level
    WMI Filters
    Name Value Reference GPO(s)
    None
    Component Status
    Component Name Status Last Process Time
    Group Policy Infrastructure Success 5/23/2015 11:56:22 AM
    Folder Redirection Success 5/23/2015 11:22:34 AM
    Registry Success 5/23/2015 11:12:46 AM
    Computer Configuration
    No data available.
    User Configuration
    Policies
    Windows Settings
    Security Settings
    Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
    Policy Setting Winning GPO
    Automatic certificate management Enabled [Default setting]
    Option Setting
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Disabled
    Update and manage certificates that use certificate templates from Active Directory Disabled
    Show certificate expiry notifications Disabled [Default setting]
    Folder Redirection
    Application Data
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\AppData\Roaming
    Options
    Grant user exclusive rights to Application Data Disabled
    Move the contents of Application Data to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Contacts
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Contacts
    Options
    Grant user exclusive rights to Contacts Disabled
    Move the contents of Contacts to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Desktop
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Desktop
    Options
    Grant user exclusive rights to Desktop Disabled
    Move the contents of Desktop to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Downloads
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Downloads
    Options
    Grant user exclusive rights to Downloads Disabled
    Move the contents of Downloads to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Favorites
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Favorites
    Options
    Grant user exclusive rights to Favorites Disabled
    Move the contents of Favorites to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Links
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Links
    Options
    Grant user exclusive rights to Links Disabled
    Move the contents of Links to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Music
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Music
    Options
    Grant user exclusive rights to Music Disabled
    Move the contents of Music to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    My Documents
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Documents
    Options
    Grant user exclusive rights to My Documents Disabled
    Move the contents of My Documents to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    My Pictures
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Pictures
    Options
    Grant user exclusive rights to My Pictures Disabled
    Move the contents of My Pictures to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Saved Games
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Saved Games
    Options
    Grant user exclusive rights to Saved Games Disabled
    Move the contents of Saved Games to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Searches
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Searches
    Options
    Grant user exclusive rights to Searches Disabled
    Move the contents of Searches to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Start Menu
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Start Menu
    Options
    Grant user exclusive rights to Start Menu Disabled
    Move the contents of Start Menu to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Videos
    Winning GPO User Folder Redirection
    Setting: Basic (Redirect everyone's folder to the same location)
    Path: \\TestServer-1\Public\Profiles\Home\user\Videos
    Options
    Grant user exclusive rights to Videos Disabled
    Move the contents of Videos to the new location Enabled
    Also apply redirection policy to Windows 2000, Windows 2000 server, Windows XP, and Windows Server 2003 operating systems Disabled
    Policy Removal Behavior Restore contents
    Administrative Templates
    Policy definitions (ADMX files) retrieved from the local machine.
    Control Panel
    Policy Setting Winning GPO
    Prohibit access to the Control Panel Disabled Billers
    Control Panel/Add or Remove Programs
    Policy Setting Winning GPO
    Hide Add New Programs page Enabled Billers
    Hide Add/Remove Windows Components page Enabled Billers
    Hide the "Add a program from CD-ROM or floppy disk" option Enabled Billers
    Hide the "Add programs from Microsoft" option Enabled Billers
    Hide the "Add programs from your network" option Enabled Billers
    Specify default category for Add New Programs Disabled Billers
    Control Panel/Personalization
    Policy Setting Winning GPO
    Load a specific theme Disabled Billers
    Password protect the screen saver Enabled Billers
    Prevent changing mouse pointers Enabled Billers
    Prevent changing sounds Enabled Billers
    Control Panel/Printers
    Policy Setting Winning GPO
    Browse a common web site to find printers Disabled Billers
    Browse the network to find printers Disabled Billers
    Prevent addition of printers Enabled Billers
    Prevent deletion of printers Enabled Billers
    Control Panel/Programs
    Policy Setting Winning GPO
    Hide "Get Programs" page Enabled Billers
    Hide "Installed Updates" page Enabled Billers
    Hide "Programs and Features" page Enabled Billers
    Hide "Set Program Access and Computer Defaults" page Enabled Billers
    Hide "Windows Features" Enabled Billers
    Hide "Windows Marketplace" Enabled Billers
    Hide the Programs Control Panel Enabled Billers
    Control Panel/Regional and Language Options
    Policy Setting Winning GPO
    Hide Regional and Language Options administrative options Enabled Billers
    Hide the geographic location option Enabled Billers
    Hide the select language group options Enabled Billers
    Hide user locale selection and customization options Enabled Billers
    Restrict selection of Windows menus and dialogs language Enabled Billers
    Restrict users to the following language: English
    Policy Setting Winning GPO
    Restricts the UI languages Windows should use for the selected user Enabled  Billers
    Restrict users to the following language: English
    Desktop
    Policy Setting Winning GPO
    Prohibit User from manually redirecting Profile Folders Enabled Billers
    Remove Properties from the Computer icon context menu Enabled Billers
    Remove Properties from the Documents icon context menu Enabled Billers
    Remove Properties from the Recycle Bin context menu Enabled Billers
    Remove Recycle Bin icon from desktop Enabled Billers
    Remove the Desktop Cleanup Wizard Enabled Billers
    Desktop/Desktop
    Policy Setting Winning GPO
    Desktop Wallpaper Enabled Billers
    Wallpaper Name: \\TestServer-1\Public\Backround\bkrnd11.JPG
    Example: Using a local path: C:\windows\web\wallpaper\home.jpg
    Example: Using a UNC path: \\Server\Share\Corp.jpg
    Wallpaper Style: Stretch
    Network/Network Connections
    Policy Setting Winning GPO
    Ability to change properties of an all user remote access connection Disabled Billers
    Ability to delete all user remote access connections Disabled Billers
    Ability to Enable/Disable a LAN connection Disabled Billers
    Ability to rename all user remote access connections Disabled Billers
    Ability to rename LAN connections Disabled Billers
    Ability to rename LAN connections or remote access connections available to all users Disabled Billers
    Enable Windows 2000 Network Connections settings for Administrators Disabled Billers
    Prohibit access to properties of a LAN connection Enabled Billers
    Prohibit access to properties of components of a LAN connection Enabled Billers
    Prohibit access to properties of components of a remote access connection Enabled Billers
    Prohibit access to the Advanced Settings item on the Advanced menu Enabled Billers
    Prohibit access to the New Connection Wizard Enabled Billers
    Prohibit access to the Remote Access Preferences item on the Advanced menu Enabled Billers
    Prohibit adding and removing components for a LAN or remote access connection Enabled Billers
    Prohibit changing properties of a private remote access connection Enabled Billers
    Prohibit deletion of remote access connections Enabled  Billers
    Prohibit Enabling/Disabling components of a LAN connection Enabled Billers
    Prohibit renaming private remote access connections Enabled Billers
    Prohibit TCP/IP advanced configuration Enabled Billers
    Network/Offline Files
    Policy Setting Winning GPO
    Synchronize all offline files before logging off Enabled Billers
    Synchronize all offline files when logging on Enabled Billers
    Synchronize offline files before suspend Enabled Billers
    Type of synchronization to perform when suspending:
    Action: Full
    Network/Windows Connect Now
    Policy Setting Winning GPO
    Prohibit Access of the Windows Connect Now wizards Enabled Billers
    Start Menu and Taskbar
    Policy Setting Winning GPO
    Add Logoff to the Start Menu Enabled Billers
    Add the Run command to the Start Menu Disabled Billers
    Clear the recent programs list for new users Enabled Billers
    Do not allow pinning items in Jump Lists Disabled Billers
    Do not allow pinning programs to the Taskbar Disabled Billers
    Do not display any custom toolbars in the taskbar Enabled Billers
    Do not display or track items in Jump Lists from remote locations Disabled Billers
    Gray unavailable Windows Installer programs Start Menu shortcuts Enabled Billers
    Lock all taskbar settings Enabled Billers
    Lock the Taskbar Enabled Billers
    Prevent changes to Taskbar and Start Menu Settings Enabled Billers
    Prevent users from adding or removing toolbars Enabled Billers
    Prevent users from moving taskbar to another screen dock location Enabled Billers
    Prevent users from rearranging toolbars Enabled Billers
    Prevent users from resizing the taskbar Enabled Billers
    Remove access to the context menus for the taskbar Enabled Billers
    Remove common program groups from Start Menu Enabled Billers
    Remove Default Programs link from the Start menu. Enabled Billers
    Remove Downloads link from Start Menu Disabled Billers
    Remove drag-and-drop and context menus on the Start Menu Enabled Billers
    Remove Favorites menu from Start Menu Enabled Billers
    Remove frequent programs list from the Start Menu Enabled Billers
    Remove Games link from Start Menu Enabled Billers
    Remove Homegroup link from Start Menu Enabled Billers
    Remove links and access to Windows Update Enabled Billers
    Remove Music icon from Start Menu Enabled Billers
    Remove Network Connections from Start Menu Enabled Billers
    Remove Network icon from Start Menu Enabled Billers
    Remove Pictures icon from Start Menu Enabled Billers
    Remove pinned programs from the Taskbar Disabled Billers
    Remove programs on Settings menu Enabled Billers
    Remove Recorded TV link from Start Menu Enabled Billers
    Remove Run menu from Start Menu Enabled Billers
    Remove the Action Center icon Disabled Billers
    Remove the battery meter Disabled Billers
    Turn off automatic promotion of notification icons to the taskbar Enabled Billers
    Turn off feature advertisement balloon notifications Enabled Billers
    Turn off notification area cleanup Enabled Billers
    System
    Policy Setting Winning GPO
    Windows Automatic Updates Enabled Billers
    System/Driver Installation
    Policy Setting Winning GPO
    Turn off Windows Update device driver search prompt Enabled Billers
    System/Internet Communication Management/Internet Communication settings
    Policy Setting Winning GPO
    Turn off handwriting personalization data sharing Enabled Billers
    System/Power Management
    Policy Setting Winning GPO
    Prompt for password on resume from hibernate / suspend Enabled Billers
    System/Removable Storage Access
    Policy Setting Winning GPO
    All Removable Storage classes: Deny all access Enabled Billers
    CD and DVD: Deny read access Enabled Billers
    CD and DVD: Deny write access Enabled Billers
    Floppy Drives: Deny read access Enabled Billers
    Floppy Drives: Deny write access Enabled Billers
    Removable Disks: Deny read access Enabled Billers
    Removable Disks: Deny write access Enabled Billers
    Tape Drives: Deny read access Enabled Billers
    Tape Drives: Deny write access Enabled Billers
    WPD Devices: Deny read access Enabled Billers
    WPD Devices: Deny write access Enabled Billers
    Windows Components/Attachment Manager
    Policy Setting Winning GPO
    Notify antivirus programs when opening attachments Enabled Billers
    Windows Components/Backup/Client
    Policy Setting Winning GPO
    Prevent backing up to local disks Enabled Billers
    Prevent backing up to network location Enabled Billers
    Prevent backing up to optical media (CD/DVD) Enabled Billers
    Prevent the user from running the Backup Status and Configuration program Enabled Billers
    Turn off restore functionality Enabled Billers
    Turn off the ability to back up data files Enabled Billers
    Turn off the ability to create a system image Enabled Billers
    Windows Components/Microsoft Management Console
    Policy Setting Winning GPO
    Restrict the user from entering author mode Enabled Billers
    Restrict users to the explicitly permitted list of snap-ins Enabled Billers
    Windows Components/Windows Explorer
    Policy Setting Winning GPO
    Display the menu bar in Windows Explorer Disabled Billers
    Hide these specified drives in My Computer Enabled Billers
    Pick one of the following combinations Restrict all drives
    Policy Setting Winning GPO
    Hides the Manage item on the Windows Explorer context menu Enabled Billers
    Prevent access to drives from My Computer Enabled Billers
    Pick one of the following combinations Restrict all drives
    Policy Setting Winning GPO
    Remove "Map Network Drive" and "Disconnect Network Drive" Enabled Billers
    Remove CD Burning features Enabled Billers
    Remove File menu from Windows Explorer Enabled Billers
    Remove Hardware tab Enabled Billers
    Remove Security tab Enabled Billers
    Removes the Folder Options menu item from the Tools menu Enabled Billers
    Request credentials for network installations Enabled Billers
    Windows Components/Windows Explorer/Previous Versions
    Policy Setting Winning GPO
    Hide previous versions list for local files Enabled Billers
    Hide previous versions list for remote files Enabled Billers
    Hide previous versions of files on backup location Enabled Billers
    Prevent restoring local previous versions Enabled Billers
    Prevent restoring previous versions from backups Enabled Billers
    Prevent restoring remote previous versions Enabled Billers
    Windows Components/Windows Installer
    Policy Setting Winning GPO
    Always install with elevated privileges Enabled Billers
    This setting must be set for the machine and the user to be enforced.
    Policy Setting Winning GPO
    Prevent removable media source for any install Enabled Billers
    Prohibit rollback Enabled Billers
    This setting may be set for the machine or for the user.
    Extra Registry Settings
    Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
    Setting State Winning GPO
    Software\Policies\Microsoft\Windows\Explorer\NoUninstallFromStart 1 Billers
    Software\Policies\Microsoft\Windows\Explorer\NoUseStoreOpenWith 1 Billers
    Software\Policies\Microsoft\Windows\Explorer\ShowRunAsDifferentUserInStart 1 Billers
    Software\Policies\Microsoft\Windows\System\Fdeploy\FolderRedirectionEnableCacheRename 1 Billers
    Monday, May 25, 2015 5:22 PM
  • Hi

     Yes,on your post there is no computers policy applied,test this right-click on computer policy (which you configure) and select enforced.

    ALso check on Group Policy Inheritance console any other computer policy crushing your computer policy??

    Monday, May 25, 2015 5:48 PM
  • >   Yes,on your post there is no computers policy applied,test this
    > right-click on computer policy (which you configure) and select enforced.
     
    No. This is simply the result of the command being run in a commandline
    that was not elevated ("run as administrator")...
     
    Loopback "merge" is correct for the scenario, and (as already mentioned)
    loopback in no way has any influence on computer GPO processing.
     
    PLease re-run the gpresult in an elevated commandline to see the "reason
    denied" - if it is "filtered (security)", double check security
    filtering and make sure you rebooted the computer if you changed its
    security group memberships.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, May 26, 2015 2:41 PM
  • Since the user does not have admin privilege I try to run as administrator and got this message  "Too many other files are currently in use buy 16-bit programs. Exit one or more 16-bit programs or increase the value of the FILES command in your Config.sys". I did a clean boot with no services besides Microsoft services and still got the problem. So I can't run cmd.exe as administrator. Any ideas on that?

    I un-linked the user policy and created a new user policy only to disable the access to control panel and it applied well with the computer policy so clearly there is something there that is bothering. 

    Friday, May 29, 2015 7:06 PM
  • > in use buy 16-bit programs. Exit one or more 16-bit programs or increase
     
    Are you trying to run command.com?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, June 01, 2015 9:21 AM
  • cmd.exe as administrator
    Wednesday, June 03, 2015 3:06 PM
  • Hi,

    According the error message you got while you open the cmd.exe as administrator, maybe you can try the follow method: Create a new notepad file.  On the first line put Files=130 and on the second line put Buffers=1000.  Then save under file type "All files" and under the name config.sys, and then place configs directly onto C:\. Then you can restart the computer and have a try again.

    Please have a test and then let us know the update.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 11, 2015 2:44 AM
    Moderator
  • Sorry for the late replay. I have tried what you suggest but it did not work. Still get the message after I enter administrator credentials. 
    Friday, July 17, 2015 6:12 PM
  • Since this is a different problem than the original GPO problem I will put the question for the cmd as administrator in a separate threat so we can focus on the GPO problem. 
    Friday, July 17, 2015 7:13 PM