1

Hey guys,

I have a GPO which has user and computer settings in it ( I usally try to avoid this but we have had processing issues in the past and this was the workaround), it is only linked to an OU where the computer objects reside, the OU with users in is not a sub-OU.

I have now found (after running GP Results from the DC) that the user settings in this GPO are applying to the users despite not having any loopback processing applied to it. Is this possible and have I missed something which might cause this? The GP Results show that the Applied settings are coming from the GPO linked to the computers OU and they definitely getting applied.

Thanks,

1 Spice up
2

Surely if the GPO is only linked to an OU containing computers, then you can safely remove the user settings from the GPO?

3

Thanks for replying. The issue is that AFAIK this shouldn’t happen. I am trying to tidy up the GPOs and re-organise the OU structure but I am not sure which policies have applied user settings form other OUs

4

I agree that this shouldn’t happen. At least in my experience. Is it possible that any of these settings were previously applied? Sometimes they will stick around even after the GPO is deleted. Can you toggle the current user settings and observe it being toggled for those users that have their computer in the OU?

1 Spice up
5

Thought I would update this with the fix. It turns out that the old IT company had created a policy called “password policy” which was enforced and linked at root level… despite the description this policy was also set to apply Loopback with the replace option! Way to cause everyone a massive headache!

After fixing this and redoing my GPOs and OUs things are working better. I did have an issue with some machines still seeing the old settings (still showed loopback in the old policy when running RSOP etc), managed to resolve this by deleting the .pol file under “C:\Windows\System32\GroupPolicy\Machine”.