I have problems because my group policies do not take effect. I did a search and found many possible solutions; which I will try tomorrow when I'm at work. However, I just wanted to ask a few things I am not yet clear about. But first my setup... Using wk2 server, which is the domain controller. I created an OU named "Testing". Inside that OU, I placed a group called "employees". I created and placed 3 accounts inside the default USERS folder. I made these 3 users members of "employees" group. Next, I went to OU "testing" properties and created a GPO called "mypolicy". I then edited this "mypolicy" to hide Control Panel, and place other restrictions. However, I go to the workstations and login with the user accounts that belong to employees group, and policy does not take effect. I did wait for the refresh interval. But I will try to FORCE the policies with secedit. -is it necessary I place the 3 users I created, plus the actual PC's (from computers folder) inside the "testing" OU for this to work? Presently, the only thing inside the "testing" OU is the group "employees". SETUP: mydomain.com ..... COMPUTERS> w2k_1, w2K_2, ... w2K_25 USERS > secretary1, secretary2, secretary3 ... (secretary1 thru 3 are members of employees group) TESTING (OU)> employees (group I created) Thanx a lot for any help/advice ... I greatly appreciate it.

It is not necessary to add the computer to this OU. First of all, are you using roaming profiles or are you using a mandatory profile? Have you possibly configured a GPO at a higher level such as domain or site that is overriding your "mypolicy GPO"? Do you have therights to configure such policies? Are you infact logging on to the correct domain controller? Do you have policies configured locally that is overriding domain settings? Remember how GPO's are applied, Domain, Site, OU, Locally. in the worst case senerio your GPO could have been hosed during DCpromo. You may need to Demote and promote back to a DC if all else fails. If You need any addition Asst. I have a ftp site with som information that may help you

Well Robert, no offense but don't be too quick to give advice. Some of it is wrong. The first and most important bit of misinformation you provided is the order that policies are applied. You have this completely wrong. The correct order is - Local Policies are applied FIRST, then site, domain, OU(s). It may be necessary to put the computer accounts in the OU if the policy is a computer policy vs. a user policy as defined by the section of the GPO that you are configuring. If you edit a section under "Computer Configuration", then it will be applied to the computer and therefore the computer account must be in the OU the policy affects. If you edit the "User Configuration" section, then it affects the User account and you need to move the User Account into the OU. GPOs are not applied to groups. If I remember correctly, the Disable Control Panel is in the User Configuration and therefore you should not need to put the computer account in the OU for that. Using secedit to force the policy is a good idea but even with that, it may not be instant. As far as the advice about demoting the DC - I wouldn't. If the GPO is hosed, it didn't happen during DCPROMO and if this is your only DC, then your entire domain would be gone if you do DCPROMO and you'll be starting from scratch. If the GPO is hosed, then just delete the GPO and create a new one. Running DCPROMO would be a bit like cutting off your foot to fix a hang nail although I guess that would work. Good luck.

"are you using roaming profiles or are you using a mandatory profile?" -I dont know about profiles and how they affect this. Also, I disabled the default Domain Group Policy and the only policy in place is "mypolicy", and yes I have the proper permissions and everything. There are no local group policies configured. There is only one domain in my company and this is the domain controller as well. "It may be necessary to put the computer accounts in the OU if the policy is a computer policy vs. a user policy as defined by the section of the GPO that you are configuring." So if i am doing things related to USER CONFIGURATION, I have to add the desired users inside my "testing" OU? Like I said, the only thing currently inside the testing OU is the "employees" group. Thanks a lot for the help :)

Like I said, GPOs are not applied to groups. So yes, you need to put the user account in there.