Group policy preference gone awry.

[dstjames]

I was asked to create a policy to reboot computers every night. To test this I created a new policy and assigned it to the IT OU. I restricted it to just my user account and my laptop. Then I created a preference that created a schedule task to execute a shutdown /r /f command on all vista and later computers as a user task and then another as a computer task because this was just a test. All of my servers are in a member servers ou with inheritance blocked and the IT and member servers OU both reside at the same level under the root.

My thinking on this was that it would apply to my laptop with me logged into it and only my laptop with me logged in. This is not what happened. For some reason my pc and laptop rebooted (this I understand) but then so did several of my servers. I noticed that it applied to the servers even though the policy was not applied to their OU and inheritance is blocked on the OU that the servers sit in.

Anyone have any idea how this could have happened?

[scottzaiss]

I sounds like you put the scheduled task in the User settings part of the GPO. Even if you filter the policy to your laptop, since it is a User setting it will apply to your account wherever you log in. You should be able to move the task to the computer config and the filter for your laptop should take effect (no matter who logs in to it). You will probably also need to clean up the scheduled task from those servers if you haven't already.

[btimian]

First make sure this is a computer side not a user side policy. Then, something you can try is to use a filter with a Domain group. So create a security group say called "filter-in Reboot PC" and then add only your laptop to that group. Now int eh GPO add this group as the only group having access. I have used filters like this to roll out setting slowly to computers and works great. Once you have all the computers with the setting you can retire the filter and have it apply again to everyone.

Good Luck!