Hello,

We use Software Restrictions to block users from launching Outlook on their client machines. We do however allow some users to run Outlook and we do this by assigning them to a group which has Deny permissions to the Software Restrictions GPO.

This has been in place for some time and has been working well, but recently several users have complained that they cannot run Outlook any more. We check GPResult and this suggests that the Software Restrictions GPO is now being applied even though there has been no change in AD Group Membership.

The issue is resolved by a combination of GPUpdate and reboots/logons but the same user may experience the same issue the next day.

As I say there have been no changes to Group Membership or the actual GPO.

We've configured UserEnv logging for some users but this just confirms that when the functionality is "broken" they are getting the Software Restrictions GPO applied and when it is subsequently "fixed" they are no longer applying the Software Restrictions GPO. It doesn't explain WHY they see this change from one state to another.

The only other clue we have is this seems to only be affecting XP machines, none of our users using a Windows 7 machine have reported this issue, but it's not all the XP users who are seeing the problem.

This one has me stumped!

Hi ,

Thank you for posting your issue in the forum.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Best Regards,

Andy Qi

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi,

Thanks for your post.

Based on the question description, this issue could be possible caused by the AdminSDHolder. To resolved it, please first follow the steps below to check if the users who encountered the issue belong to the protected groups.

Action Plan

==============

1. Click Start, click Administrative Tools, and then click ADSI Edit.

2. Locate the user accounts above, right-click them, and then click Properties.

3. Locate the attribute named AdminCount, check if the value of it is 1.

==============

If the value of the AdminCount is 1, this user account belongs to protected groups. Please delete it from the protected groups, and change value of AdminCount to 0 manually.

Please refer to the article as below about detailed informationrelated AdminSDHolder.

AdminSDHolder, Protected Groups and SDPROP

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Hope the information above is helpful to you.

Thanks for the reply. Unfortunately non of the users who have reported the issue are a member of Protected Groups. For all of them, the AdminCount value is <not set>

Thanks