How to tell what policy is applying a setting on a machine...

So, you go to change a setting in a policy on a machine, but its greyed out. This is essentially because this is being pushed down from some other policy. Be it Domain, OU, site etc. You will also note the icon is different for that element of the policy.

To get a better clue as to where this has come from we can use a couple of tools:

We can enable further logging by creating the key USERENVDEBUGLEVEL and set it to 10002 hex.under HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon

Then if we run a GPupdates /target:computer or user depending on what youre looking at

Then in %windir%\debug\usernmode we have a collection of files. userenv being a very useful one where we have a fairly step by step guide as to what policies have been considered and what have been applied.

Using other files we can also see what elements of a policy have been pushed down in what policies, it gets quite granular.


If its anything but obvious at this stage as to where this setting is coming from its time to log a CSS call for deeper digging, as it can get very intricate!