Problem solve Get help with specific problems with your technologies, process and projects.

Group policy won't let me delete disk quota entries for old users

I cannot get rid of some quota entries that belong to old users (the system is not able to identify the users; it only presents the SIDs). For most of them, there is an amount used of 1K, but there are no files owned by the specified user. What do I have to do?

In group policy there are two categories: User Configuration and Computer Configuration. I've created an organizational unit (OU) for some users. Of course, it is very reasonable to apply some User Configuration policies for this OU. When do I apply Computer Configuration policies? I've tried to add a station to the above OU and then apply some Computer Configuration policies, but nothing happens. Thank you.

It sounds like you may have some files still in the file system that are owned by the old users. Until you either take ownership of those files or move them to another disk, you cannot delete the disk quota entries. It sounds like you have already removed the user, as you say they are no longer identified by name. You must find the files they owned and take ownership or remove the files; then you will be able to delete the disk quota entries. Here's an article that may help.

Computer Configuration GPO settings will apply to the computers whose accounts are present in the OU to which that GPO is linked. The settings apply, no matter who uses the computer. If you examine the possibilities, they are quite extensive. Actually, you are seeing the results of computer configuration on every computer in a domain, as there are default settings in the default domain policy (a GPO linked to the domain -- right-click the domain in Active Directory Users and Computers and select Group Policy, then choose EDIT to examine it.)

The settings in this policy affect all computers in the domain. Just like user policies, computer settings are applied from the local policy, then the site policy (if any), then the domain policy, then OU policies. I'm not sure why you are not seeing the results of your changes since I don't know what your settings are. It could be that not enough time elapsed after the setting (policy must be refreshed), or that you inadvertently changed something (like say, password policy) that can't be set per computer for domain logons.

If you have the Windows 2000 resource kit, you can use the group policy results utility at the local computer to see which GPOs are being applied. Try setting something small and relatively non-intrusive, like the security setting that sets a logon warning message: computer configuration | security settings | local policies | security options | message text for users attempting to log on. (Don't forget to also set message title for users attempting to log on.) When you have done so, issue the SecEdit RefreshPolicy machine_policy command on the DC and later on the workstation (this kick-starts replication of the new policy change).

Dig Deeper on Windows 10 security and management