2 sets of 'Deny locally' policy setup but only the higher GP inheritance works

Madman2112 111 Reputation points

Hi All. I have server 2019 and I have two deny logon locally policies setup in GP Editor but can only get one or the other to work. I just cant seem to get them to work at the same time. I noticed that if I put one above the other in Group Policy inheritance the one that sits above the other one is the one that works and vice versa.

I have created two 'Deny logon local' Policies in my AD environment. One is called 'ECP users Ipad restrict' and the other is called 'Restricted nurse logons'. Both of these deny logon locally policies where created by opening Global Policies editor in AD 'Computer configurations - Policies - Windows settings - Security settings - local policies - user rights assignments - deny logon locally'. I also have two machine groups. One is called 'BSL machines' and the other is called 'IPPC'. I then Linked both deny logon Policies to the parent OU Called 'BSL Computers' that has about 33 sub OU's that represent each building and the computers therin. The 'ECP users ipad restrict' policy is setup to prevent certain user accounts from being used to login to any of the machines in the 'BSl machine' group as well as the other machine group called 'IP machines'. The scope for that reflects s both machine groups. The 'restricted nurses logon' Policy is set up to not allow a user called 'Msteward; to access any machines in the 'BSl machine group' only. The scope also reflects just that. However the one that sits above the other policy in Group Policy inheritance is the only one that works. Same goes if I reverse them. Ran GPupdate/force on the local workstations and the policy takes. Gpresult/r shows that both policies are taking but only the one in the higher Group policy order actually takes effect. if I check the local Gpeditor on the machine it only reflects the one policy that works even though Gpresult shows both. Any help would be appreciated.



A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,837 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,273 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 39,421 Reputation points

    Hello there,

    By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container.

    When we link a GPO to an OU, the GPO applies to the computers and users in every child OU. This concept is called inheritance.

    If you apply a GPO to a branch, any limb of that branch receives he same GPO unless explicitly blocked. Similarly, if you apply a GPO at the root, all branches receive the GPO, too. So unless you expressly prohibit inheritance, anything applied at the top, is applied underneath it.

    In general, the order in which Group Policy applies GPOs determines precedence. The order is site, domain, OU, and child OUs. As a result, GPOs in child OUs have a higher precedence than GPOs linked to parent OUs, which have a higher precedence than GPOs linked to the domain, which have a higher precedence than GPOs linked to the site.

    So if a policy in the lower-level child OU is set, this setting value will override the setting value inherited by its higher-level parent OU. In general, the setting in the lower-level OU will not affect the setting in higher-level OU.

    Overriding and Blocking Group Policy


    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Gary Reynolds 9,396 Reputation points


    With the user rights setting in GPOs only the settings from the last applied policy will be applied, there is no option to the merge policy settings.