GPO Not Applying


  • I have 2 GPO's one that both affect the same registry key.. one basically toggle the key to an off position disabling VBA in Office completely the other toggles it back on.

    The GPO that turns it off is linked to the top level domain xxxx.local and is applied to all authenticated users. I have a security group that is added to the security filtering with a Deny to apply the GPO. This GPO works Perfectly. any user in the group that is denied the gpo does not get it applied everyone else does.

    The second gpo is linked to the OU where all of the SUB ou's that contain users are. I have just the security group in the security filtering that is denied in the first OU set there with of course the allow GPO setting. This GPO basically doesn't exist. I've read a ton of articles about precedence in the structure. it is my understanding that a GPO in an OU deeper in the tree will override a gpo higher in the tree. I've tried a ton of different things. the second OU never shows up in a gpresult as applied or denied. it just doesn't seem to exist.

    I've made the second GPO enforced. I've put both GPO's at the same level. If I add authenticated users back in the security filter the gpo works but of course it applies to all users thereby negating the original GPO..

    What am I doing wrong?

    Wednesday, June 22, 2016 4:20 PM


All replies