GROUP POLICY APPLICATION PROBLEM

[Moscerino]

HI ALL

I've got this problem:

in my network there are 3 domain controllers with active directory, I would set security policies on a group of COMPUTERS of my domain.

So I created a global security group and I put about 20 computer accounts into it. Then I put my group into an OU and I tried to set a policy to this group.

I would like to deny logon locally on this group of computers, to a group of users.

When I set the policy, with "block inheritance" flag, I did the command secedit /refreshpolicy machine_policy to propagate immediately the policy settings to the others DC's. So in the Event Viewer I can see the SceCli Event ID that told me "Security policy in the Group policy object are applied succesfully".

BUT IT'S COMPLETELY FALSE

I can make the logon on computers with one of the users
that I would like to deny it!!!

Another information is this: if I set an User Policy, this is applied quickly and works fine!! For example a logon script applied to a user works perfectly after 5 minutes!!

I add also /enforce to the secedit command but the situation doesn't change!!

Please help me, I'm going to break all my domain forest with a hammer.

Mosce

 

[brontosaurus]

did you add that security group in the permissions of the Group Policy? (Read and Apply Group Policy rights....)

 

[Moscerino]

what group? the computer group or the users group?

 

[brontosaurus]

the security group you created that you're trying to apply the policy to....