Security Settings on Group Policy Object Cause Unexpected Results
You configure security on various Group Policy objects in Active Directory by adjusting group membership and changing security descriptors (access control lists, or ACLs) on the Group Policy objects. When a user managed by these Group Policy objects logs on, the Group Policy applied to this user is different from what you expect.
Possible Causes:
Problems with the security groups used to filter whom the Group Policy object applies to.
Problems with the ACLs set on Group Policy objects.
Diagnostic Tests:
Write down a list of the Group Policy settings that you expect to apply to the client user and computer. Using Gpresult.exe, generate the list of the Group Policy settings that actually applied to the client user and computer. Compare the lists to determine which Group Policy objects are not applied.
To check security filtering and ACLs for Group Policy objects in question
Right-click a site, domain, or organizational unit in which the Group Policy object is referenced.
Click Properties on the shortcut menu.
Click the Group Policy tab and select the Group Policy object that you want to investigate.
Click the Properties button, and then click the Security tab.
For this Group Policy object to apply successfully, at least one security group to which the user belongs must be listed with the Read or Apply Group Policy permissions set to Allow . If either of these two permissions is not selected, the Group Policy object will not apply.
.gif "note-icon")
Note
Access control lists (ACLs) on Group Policy objects should only be configured and diagnosed using the user interface as explained earlier. Do not try to manually configure ACLs on Group Policy objects located in the Sysvol. This leads to Group Policy objects not applying, or to other unexpected behavior.