This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hi,
In my domain we have a group policy deployed for the 'Computers' OU as a workstation policy to configure some things. Recently we've added an item within this GPO to remove local admin access for domain users by configuring a restricted group for builtin/administrators.
From the looks of it, the majority of users are no longer admins and the policy has applied to their computers, however there are reports of some users still with admin permissions. It's like these computers haven't updated group policy and applied the new setting.
I was under the impression that when the users come back on site and login, group policy would update and remove local admin access...
All computers are in the correct OU for the GPO. The GPO does not have enforced checked if this makes a difference.
I know I can run gpresult, etc on individual computers, but is there a way or a tool where I can see which computers within this OU haven't updated GP and received the restricted group item so I can address? Or is the easiest way for this to right click on the GPO and force gpo update for the OU - I think the issue with this will be computers that are powered off, etc wont get the forced gp update though.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hello,
According to your description, we have applied a Group policy to the OU which contains computers. Later we applied a restricted group policy within this GPO. But it seems that the GPO has not applied to all the computers. Here we would like to check with you about the following points.
To better understand our question, would you please tell us the following information:
If so, by default, I know we all have a built-in container called “Computers”, so if I create a new OU called “Computers”, but I cannot create the OU with “Computers” name, and I receive the following error message.
Because Restricted group is computer configuration, as for the computer policy, it will be applied once it starts up. Besides, only the admins could see the computer policy.
4, According to our question “ I know I can run gpresult, etc on individual computers, but is there a way or a tool where I can see which computers within this OU haven't updated GP and received the restricted group item so I can address? “, we could logon each computer to have a check by running “gpresult /h” if possible.
For the computer policy, if the computers are running and are connected to the domain and the users are logged on, the GPO settings will be refreshed by any one of the following three methods:
Method 1. All the computer group policy settings will be applied when we restart the machines,
Method 2. We can run gpupdate /force command to refresh GPO settings manually.
Method 3. If we do not do anything, the GPO settings will be refreshed after 90-120 minutes.
For the computer policy, if the computers are powered off, they cannot apply the GPO settings.
Hope the information is helpful. If you still have problems, please contact with us.