A small Gp issue

[Guest]

hi,
i have created my first group policy and added some adm files in the GP MMC.
GP1 is applied to OU1.
IN GP1-- All the changes are in Users Configuration section,the changes I
made through ADM files and computer settings section were all pushed down
fine to users in that OU1.
But the moment i move the Users from the applicable OU1 to another OU2, the
changes i made through ADM files are gone, which is fine since there is no
policy there,But the changes which were made in the Computer settings of USer
section is still there.
I could create a negative GPO (do'nt laugh on this term hahaha) to take it
off in OU2, but is it through design or AM I DOING ANYTHING WRONG here.
please suggest a way to take off those settings withut creating a reverse or
negative policy to take out those changes.

ThankS A TON
Sin

 

[Simon Geary]

I don't think you are doing anything wrong. This feature is, as the saying
goes, by design. There are two types of Group Policies; policies and
preferences. The settings that are not undoing themselves when they move out
of scope of the GPO are probably preferences that are applied by your ADM.

So what's the difference? A policy will be applied in the registry under
HKLM\Software\Policies (for computer settings) and HKCU\Software\Policies
(for user settings). These are 'proper' group policies and the settings
defined in these registry keys will undo themselves when, as in your case,
you move the user to a different OU. If a Group Policy entry edits the
registry anywhere other than the aforementioned keys they are not policies
but preferences. This means that they will stay stuck in the registry until
you manually undo them. So I think your guess was correct, if this policy is
indeed a preference you will need to create another GPO that undoes the
change.

 

[lforbes]

Hi,

But the moment i move the Users from the applicable OU1 to another
OU2, the changes i made through ADM files are gone, which is fine
since there is no policy there,But the changes which were made in the
Computer settings of USer section is still there.

Don’t worry. The Computer Config ONLY applies to Computers in that OU.
Therefore if you have a User in the OU, the Computer Config doesn’t
apply to Users.

By the way, what ADM’s did you add? If you created custom ADM’s they
may "hack" the registry like the NT ADM’s did. Therefore they are
not recommended for Group Policy (shown in GP in Blue and only if
advanced options are turned on). If they were created by software
companies like MS or Symantec then they were created for GP and should
be fine and show in black.

Cheers,

Lara

 

[Bruce Sanderson]

See http://members.shaw.ca/bsanders/WindowsGeneralWeb/HappyGPOs.htm.