We spent the day working on an issue where our User Policy wasn’t being applied to the User AD Object logging into a computer. We confirmed the usual steps:
- User AD Object is in the OU where the GPO is applied.
- GPO is enabled.
- Security Filtering is not filtering out the User AD Object.
The policy was simply not showing up on the computer (would not display with `gpresult /r`). After some more digging, we found the issue:
One of the GPOs applied to the Computer AD Object had the
Note: our default has always been to use Merge in this setting … this one just slipped through the cracks. :(
In this mode, when the user logs on, the user’s list of GPOs is typically gathered by using the GetGPOList function. The GetGPOList function is then called again by using the computer’s location in Active Directory. The list of GPOs for the computer is then added to the end of the GPOs for the user. This causes the computer’s GPOs to have higher precedence than the user’s GPOs. In this example, the list of GPOs for the computer is added to the user’s list.
In this mode, the user’s list of GPOs is not gathered. Only the list of GPOs based on the computer object is used.
So when do you want to use Replace mode?
A quick scenario might be at a lab computer at a school that allows users to login with their AD credentials instead of using the auto-login account. You may not want the settings that you allow to be loaded at a user’s office computer to be pulled down to the lab computer.