Hi,
I am encountering a problem with group policies. I have 2 GPO that apply when a user logs on, one at the domain level and another one at the OU level :
-My_Domain
#My_Domain_GPO
-My_OU
#My_OU_GPO
In the domain GPO, I enable a parameter. In the OU GPO, I disable the same parameter. The parameter is :
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins/Local users and groups
But when do an RSOP on the target machine, I see that both the GPO applied, but the winning one is # My_Domain_GPO. The priority order in the priority tab is the following :
#My_Domain_GPO #My_OU_GPO #My_Domain_GPO
The winning one is the first one, so it's #My_Domain_GPO. It should be the OU one... Also, I don't understand why #My_Domain_GPO appears twice in the priority tab.
I don't have any "enforced" GPO and I don't have any inheritance set.
I also tried to remove #My_Domain_GPO and make another one, with the same setting enable and I get the same result. So I tried create an intermediate level OU and move #My_Domain_GPO into that OU. This works fine. So... I believe that I have an issue with GPO's that are at the domain level and whose settings are overriden in childs GPO's. In the example, I gave the "Local users and groups" setting, but I have other settings that behave the same way.
Can U help me understand this please ?
Thank you for your help.
Best regards.
Matteo, .NET Developer and System Engineer