Systems Management

The domain GPO should overwrite the local GPO. Are you sure your machines/users are getting the updated GPO? Do a "gpupdate /force" to make sure the GPO is brought down. Also, run an "rsop.msc" to see the what the GPO result set is on the machine. There it will tell you which policy is doing what.

- J

ORIGINAL: jcarri06

The domain GPO should overwrite the local GPO. Are you sure your machines/users are getting the updated GPO? Do a "gpupdate /force" to make sure the GPO is brought down. Also, run an "rsop.msc" to see the what the GPO result set is on the machine. There it will tell you which policy is doing what.

- J


Hi
Thanks for the quick response, yes they are getting the policy and when I run RSOP on the machines the Local Policy is top in precedence order and then the ou policy is next!
I have even tried creating a new GPO with the IE setting and that also shows in RSOP but below the Local in order of precedence.

I know what you are saying and I tested the theory on my test vm setup and it works as expected with the OU taking precedence over local, I am at my wits end with this one and have combed the internet without success.

Have you tried removing/adding the machine back to the domain (just to test)? Also, any chance that setting is being applied through any other means? Lastly, have you tried overriding any other setting of the LGPO with the OU GPO? I'm curious if this is the only setting that the OU GPO is not able to override which could lead to the IE settings being implemented through some other means (direct registry modifications) rather than the LGPO (smoke and mirrors).

Just some food for thought :).

- J

Not 100% LGPO will have much bearing on a domain user account in your situation.
However, try deleting the profile out of Documents and Settings (if on W2k3/ XP). Make sure no roaming/flex profiles apply. Log on and see if IE branding runs. Test then.
Also, to eliminate the unknowns, modify the homepage to something "unique" in LGPO and see if the change reflects. Or remove completely LGPO setting.
In addition, go over registry HKCU settings for IE and see what you get in both Policy and regular IE start page settings.
And, just to make clear, you set your settings as "Policy", and not "Preferences" for IE, correct?

Logs are generally helpful in troubleshooting GPOs - do you get any errors in the Event Log, or the GPO logs in:
C:\WINDOWS\Debug\UserMode
%userprofile%\Local Settings\Application Data\Microsoft\Internet Explorer


We did have similar sporadic issue with the setting you described in our AD 2+ years ago that made us resort to a logon script to set the start page. If I recall it right, the explanation had something to do with either the version of AD or the adm templates, or permissions on a file inside SYSVOL policy component file.

Hi quick update on what I have tried so far.

I have created a new Group policy and assigned this to another ou and moved a test user account into that ou and still get the same result on the xp client with Local presedence higher than the ou policy. The strange thing I have noticed when I run RSOP and look at presedence it shows two for both like this.

Domain Policy (Disabled)
Local Policy
Ou Policy
Local Policy
Ou Policy

I tried to make more changes in the ou policy to see if it was just internet explorer, like disable the run and search from the start menu and counter this by enabling with the Local policy and Local is still winning.

I am currently building an XP Client from scratch and will try to see if I get the same result?

Did you try removing and rejoning the PC to the domain?

Yes sorry forgot to mention that, it's didn't work either.