Group Policy: The Foundation Of IntelliMirror
Microsoft Online Seminar that covers best practices for Group Policy including: limit the frequency of Group Policy updates, limit the number of administrators who have the ability to edit Group Policy objects, limit inheritance modification, filtering and loopback, limit the number of Group Policy objects that apply to a site, a domain, or OU, and conduct testing. (April 2000)

The Definitive Guide to Windows 2000 Group Policy
The Tips and Tricks Guide to Windows 2000 Group Policy. Source: FullArmor Corporation

Understanding Group Policies
If you©ve been using a Windows NT environment for a while, you©re no doubt familiar with system policies. Because of this, it may be a little disturbing to learn that the system policies have been done away with in Windows 2000. Instead, system policies have been replaced with group policies. In this article, we©ll introduce you to group policies. As we do, we©ll discuss the capabilities and limitations of group policies. We©ll also discuss some techniques that you can use to help you to implement group policies in your Windows 2000 environment. Source: BrienPosey.com

Assigning Scripts Using Group Policy in Windows 2000
In a Windows NT 4.0 domain environment, assigning scripts to users was more or less restricted to simple logon scripts. In a Windows 2000 domain, however, the power of Group Policy unleashes script deployment capabilities that make NT 4.0 pale in comparison. Source: Swynk.com

HOW TO: Add a Windows 2000 ADM Template to a Group Policy Snap-In 
Microsoft Knowledge Base Article: 307732 - The Office XP Resource Kit includes a number of policy templates for use with various Office XP programs. To use a policy template, you must load it by using the Group Policy snap-in. This article describes this procedure. 

HOW TO: Administer GPO Properties in Windows 2000 
Microsoft Knowledge Base Article: 322176 - This article describes how to access and administer Group Policy object (GPO) properties in a Windows 2000-based environment. To perform the procedures that are described in this article, you must be a member of the Administrators group on a computer that is running Windows 2000 Advanced Server. 

How to Apply Group Policy Objects to Terminal Services Servers
Microsoft Knowledge Base Article: 260370 - Microsoft Windows 2000 Terminal Services servers are installed for users in Application Server mode. When the Windows 2000 Terminal Services servers are in a Windows 2000 Active Directory domain, the domain administrator implements Group Policy Objects (GPOs) to the Terminal Services server to control the user environment. This article describes the recommended process of applying GPOs to Terminal Services without adversely affecting other Windows 2000 servers on the network. 

HOW TO: Assign Software to a Specific Group By Using a Group Policy  
Microsoft Knowledge Base Article: 302430 - You can use group policies to assign or publish software to users or computers in a domain, and it is useful to be able to deploy software based on group membership. Group Policy Objects (GPOs) are normally applied only to members of organization. 

How to Collect Group Policy Engine Debug Information
Microsoft Knowledge Base Article: 277675 - If you encounter problems after you apply changes to the Default Domain and Default Domain Controller group policies by using the LSA API, you can enable debug logging to help determine what problems the associated engines are encountering. 

How to Configure Group Policies to Set Security for System Services
Microsoft Knowledge Base Article: 256345 - You can implement security on system services in Windows 2000. This allows you to control who can manage services on a workstation, member server, or domain controller. Currently, the only way to change a system service is through a Group Policy computer setting.

HOW TO: Create Custom Administrative Templates in Windows 2000 
Microsoft Knowledge Base Article: 323639 - This step-by-step article describes how to create custom Administrative Templates to use with Group Policy settings in a Windows 2000-based domain. 

HOW TO: Create a System Policy Setting in Windows 2000 
Microsoft Knowledge Base Article: 318753 - This step-by-step article describes how to create System Policy settings for down-level client computers in a Windows 2000 domain. In a Windows 2000 network, you can use Group Policy settings to configure and control Windows 2000 and Microsoft Windows XP Professional-based computers. However, to configure Microsoft Windows NT 4.0, Microsoft Windows Millennium Edition (Me), and Microsoft Windows 98-based client computers, you must use System Policy settings. System Policy settings are different from Windows 2000 Group Policy settings in that they overwrite registry settings on the client computer with persistent changes. This behavior is known as "tattooing."

How to Delay Security Policies from Being Applied
Microsoft Knowledge Base Article: 277543 - This article describes how to delay the security policy from being applied when no changes have been made in the Group Policy object (GPO). 

How to Delegate Authority for Editing a Group Policy Object (GPO)
Microsoft Knowledge Base Article: 221577 - Administrators can delegate the authority to create and manage Group Policy Objects (GPOs). This article describes how to accomplish this task. 

How to Deploy Software to a Specific Group By Using a Group Policy
Microsoft Knowledge Base Article: 302430 - You can use group policies to assign or publish software to users or computers in a domain, and it is useful to be able to deploy software based on group membership. Group Policy Objects (GPOs) are normally applied only to members of organizational units (OUs) to which the GPO is linked. Because users cannot be located in several OUs at one time, it is necessary to be able to apply group policies outside of the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in a respective OU. 

How to Disable Windows 2000 Dynamic Domain Name System Registrations with Group Policy 
Microsoft Knowledge Base Article: 294832 - This article describes how to disable the dynamic Domain Name System (DNS - registration behavior of Windows 2000 client computers with a Windows 2000 Group Policy. Windows 2000 supports dynamic DNS updates (refer to Request for Comments [RFC] 2136). This behavior is enabled by default for Windows 2000 DNS clients.

How to Disable the "Windows Logo Key+E" Key Combination with Group Policies 
Microsoft Knowledge Base Article: 301422 - This article describes how to use Group Policy to disable the Windows logo key+E key combination. 

How to Dynamically Create Secure Redirected Folders By Using Folder Redirections 
Microsoft Knowledge Base Article: 274443 - In Windows 2000, as an administrator, you can customize desktops by using Folder Redirection. You can redirect the following folders by using Active Directory and Group Policy:

How to Hide Selected Control Panel Tools in Windows 2000
Microsoft Knowledge Base Article: 261241 - This article describes how to hide specific configuration tools in Control Panel using Group Policy. The Group Policy settings that you create are contained in a Group Policy Object (GPO), which is in turn associated with selected Active Directory 

HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL 
Microsoft Knowledge Base Article: 216359 - When you are troubleshooting the application of a group policy, it may be necessary to validate that the appropriate objects are in the Active Directory and that the file structure is correct in SYSVOL on each domain controller on which the Group Policy Object (GPO) is replicated. A key piece of information in this process is the Globally Unique Identifier (GUID) associated with the GPO. This article discusses identifying a GPO with its GUID 

HOW TO: Keep Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows 2000 
Microsoft Knowledge Base Article: 315675 - This step-by-step article describes how to keep domain group policies from also applying to administrator accounts and/or selected users. Windows 2000 uses group policies to control operating system behavior and security settings for users 

How to Modify the Default Group Policy Refresh Interval 
Microsoft Knowledge Base Article: 203607 - This article describes how to modify the default group policy refresh interval.

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000 
Microsoft Knowledge Base Article: 315418 - This article describes how to optimize and configure Group Policy to increase logon performance. 

How to Remove the Security Tab By Using a Group Policy 
Microsoft Knowledge Base Article: 303153 - This article describes how an administrator can disable the Security tab from Windows 2000 Professional-based workstations that are members of a Windows 2000 domain. (updated 10/16/2001)

How to Reset User Rights in the Default Domain Group Policy
Microsoft Knowledge Base Article: 226243 - The default Domain Group Policy object (GPO) contains many default user-rights settings. In some cases, changing the default settings may produce undesirable effects. This may result in a condition where unexpected restrictions exist on the user rights. If the changes are unexpected, or if the changes were not recorded so that you do not know which changes were made, it may be necessary to reset these user-rights settings to their defaults 

HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000 
Microsoft Knowledge Base Article: 323525 - This step-by-step article describes two methods that you can use to restrict users from running specific Windows programs on a Windows 2000-based computer. You can restrict users from running specific programs by either using Group Policy editing the Windows registry.

How to Set Advanced Settings In Internet Explorer by Using Group Policy Objects
Microsoft Knowledge Base Article: 274846 - This article describes how to implement advanced settings by using Group Policy objects (GPOs) in Microsoft Internet Explorer on a computer that is running Windows 2000. This article does assume that you have successfully implemented Group Policies in your Windows 2000 environment.  

How to Use Group Policy Objects to Deploy SP1 for Windows 2000
Microsoft Knowledge Base Article: 260301 - This article illustrates how to use Group Policy Objects to deploy Service Pack 1 for Windows 2000. The same techniques can be used to deploy other programs as well.

HOW TO: Use the Group Policy Results Tool in Windows 2000 
Microsoft Knowledge Base Article: 321709 - This step-by-step article describes how to use the Group Policy Results tool (Gpresult.exe) in Windows 2000.

HOW TO: Use Group Policy to Apply Security Patches in Windows 2000 
Microsoft Knowledge Base Article: 314273 - This step-by-step article describes how to use Group Policy to apply security patches. You must be a member of the Administrators group on a computer that is running either Windows 2000 Server or Windows 2000 Advanced Server to perform all of the procedures that are described in this article. 

HOW TO: Use Group Policy to Audit Registry Keys in Windows 2000 
Microsoft Knowledge Base Article: 315416 - This article describes how to use Group Policy to configure auditing of Windows registry keys. 

HOW TO: Use Group Policy to Deploy Windows XP in a Windows 2000-Based Network 
Microsoft Knowledge Base Article: 314953 - This step-by-step article describes how to use Group Policy to deploy Windows XP Professional in a Windows 2000-based network. You can use Group Policy to make a Windows XP Professional upgrade available to the workstations in your network 

HOW TO: Use Group Policy to Remotely Install Software in Windows 2000 
Microsoft Knowledge Base Article: 314934 - This step-by-step article describes how to use a group policy to automatically distribute programs to client computers or users. 

HOW TO: Use Group Policy to Set Automatic Installation Options Based on File Name Extensions in Windows 2000 
Microsoft Knowledge Base Article: 321713 - This step-by-step article describes how to use a group policy to specify automatic installation options based on file name extensions in Microsoft Windows 2000.

HOW TO: Use the Group Policy Migration Utility to Migrate Windows NT System Policy Settings 
Microsoft Knowledge Base Article: 317367 - This step-by-step article describes how use the Group Policy Migration utility (Gpolmig.exe) to migrate a Microsoft Windows NT 4.0 System Policy setting to Windows 2000. Gpolmig.exe is available in Microsoft Windows 2000 Resource Kit (an updated version of Gpolmig.exe is also available in Microsoft Windows 2000 Resource Kit: Supplement 1). 

Step-by-Step Guide to Configuring Enterprise Security Policies
This guide describes how to configure security policies. It is intended for IT managers, system administrators, and others interested in using Group Policy to manage security in an enterprise network. Source: Microsoft.com (March 7, 2000)

Step-by-Step Guide to Understanding the Group Policy Feature Set
Group Policy specifies settings for groups of users and of computers, including registry-based policy settings, security settings, software installation, scripts (computer startup and shutdown, and log on and log off), and folder redirection. This step-by-step guide examines some of the capabilities of Group Policy. 

Using Group Policies to Control Printers in Active Directory
Microsoft Knowledge Base Article: 234270 - Active Directory printer-related settings can be enabled or disabled by using Group Policies. All Group Policy settings are contained in Group Policy objects that are associated with Active Directory containers 

Using Group Policy Objects to Hide Specified Drives in My Computer for Windows 2000
Microsoft Knowledge Base Article: 231289 - With Group Policy Objects in Windows 2000, there is a "Hide these specified drives in My Computer" option that lets you hide specific drives. 

Using Group Policy Scenarios
This white paper describes six scenarios for using Group Policy, one of the key Change and Configuration Management technologies provided in Windows 2000. 

Using Group Policies to Control Printers in Active Directory
Microsoft Knowledge Base Article: 234270. Active Directory printer-related settings can be enabled or disabled by using Group Policies. All Group Policy settings are contained in Group Policy objects that are associated with Active Directory containers. 

Using Group Policy to Delete Cached Copies of Roaming Profiles
Microsoft Knowledge Base Article: 274152 - This article discusses how you can use Group Policy to delete locally cached copies of roaming profiles. 

Using SECEDIT to Force a Group Policy Refresh Immediately
Microsoft Knowledge Base Article: 227302 - Changes to a group policy object are not immediately imposed upon the target systems, but rather are applied in accordance with the currently valid group policy refresh interval, which uses random factorization to ensure a somewhat balanced load on domain controllers 

Enabling Windows 2000 Application Deployment Debug Logging
Microsoft Knowledge Base Article: 249621 - You can enable diagnostic logging of Group Policy Application Deployment processing by modifying the registry on the computer on which the program is being installed. (updated 7/30/2001) 

Description of Group Policy Restricted Groups
Microsoft Knowledge Base Article: 279301 - This article provides a description of Group Policy Restricted groups. (updated 192001) 

Gpresult Does Not Enumerate the Resultant Computer Security Policy
Microsoft Knowledge Base Article: 258595 - Although the Gpresult.exe command-line tool displays information about the result that Group Policy has on the current computer and logged-on user, it does not reveal details of the security policy. (updated 3/31/2000)

Group Policy Application Rules for Domain Controllers
Microsoft Knowledge Base Article: 259576 - Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level. This group policy behavior is different for member server and workstations. (updated 10/26/2000) 

Group Policy History Stored in Registry
Microsoft Knowledge Base Article: 201453 - As Group Policy Objects (GPOs) are read and applied when the computer starts or when a user logs on, information about each of the GPOs applied is written to the registry. This information includes which Group Policy Extensions applied policy, the order in which the GPOs were applied, version data, and options defined for each GPO. This data is also used to determine changes that have been made to the GPO since the last time policy was applied. (updated 12/30/1999) 

Group Policy Issues
Discusses troubleshooting Change and Configuration Management, including Group Policy issues, user data management, software installation and maintenance, user settings management, and remote installation. Source: Microsoft.com

Group Policy - Lowering Windows 2000's TCO
Although Win2K's Group Policy is far more complex than NT's system policies, Group Policy might lower Win2K's TCO. Source: Windows & .NET Magazine (March 2000)

Group Policy Management and Design
This paper views the principles behind Group Policy and provides some best practices for Group Policy implementation and design. By Ceri Jones, Network Systems Consultant. Source: Lucent.com (September 2000)

Group Policy Processing
Whitepaper which explains Group Policy, a flexible Change and Configuration Management tool. This tool includes options for registry-based policy settings, security settings, software installation, scripts, startup, shutdown, logon, logoff, and folder redirection. Source: Microsoft.com

Group Policy Storage
Whitepaper which explains Group Policy, a flexible Change and Configuration Management tool. This tool includes options for registry-based policy settings, security settings, software installation, scripts, startup, shutdown, logon, logoff, and folder redirection. Source: Microsoft.com

Group Policy Application Rules for Domain Controllers 
Microsoft Knowledge Base Article: 259576 - Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all (updated 4/25/2000) 

Group Policy Loopback Support
Whitepaper which explains Group Policy, a flexible Change and Configuration Management tool. This tool includes options for registry-based policy settings, security settings, software installation, scripts, startup, shutdown, logon, logoff, and folder redirection. Source: Microsoft.com

A Security Policy Does Not Process Restricted Groups Correctly 
Microsoft Knowledge Base Article: 320099 - If you configure a restricted group by using Group Policy, the membership list is incomplete when the group is processed by the client. This problem is indicated by events from the SceCle and Userenv sources in the Application event log.

Administrator May Be Unable to Edit Group Policy in Windows 2000 Domain
Microsoft Knowledge Base Article: 263166 - If you are an administrator, you may be unable to modify Group Policy in a Windows 2000 domain. In addition, if you attempt to start any tool located in Administrative Tools (including Group Policy Editor or saved custom consoles for Microsoft

Cannot Select Local Groups in Snap-in on Member Computer
Microsoft Knowledge Base Article: 267582 - When you are using the Security Group Policy editor to configure a restricted group from a computer that is a member of a domain (rather than a domain controller), you cannot select domain local groups. 

Disabled Programs Are Displayed in the Software Installation Section of Group Policy Object
Microsoft Knowledge Base Article: 274269 - When you open a Group Policy object (GPO) and examine its Software Installation values, some entries that are displayed in the result pane may be disabled (a red-colored icon is displayed). 

Error 1711: "An error occurred while writing installation information to disk"  
Microsoft Knowledge Base Article: 275869 - If you deploy a program through Group Policy in Windows 2000 without having sufficient free disk space on the domain controller's partition (which holds the Sysvol folder), the Application Deployment Editor may stop responding (hang). 

Error Messages After Importing Basicdc.inf into Group Policy
Microsoft Knowledge Base Article: 256000 - After you import the Basicdc.inf file into the Default Domain Controllers Group Policy object (GPO), the following error messages may be generated. 

Error Message When Opening or Editing a Domain Group Policy Object
Microsoft Knowledge Base Article: 257435 - When you attempt to open or edit a domain Group Policy Object (GPO) on a computer running Windows 2000 Server, you may receive the following error message: (updated 11/29/2000) 

GPO Changes Can Be Written to Different Domain Controllers If the User Is Not a Local Administrator 
Microsoft Knowledge Base Article: 243430 - If a user creates a new Group Policy Object (GPO - and then immediately tries to open the GPO to edit it, the follow error message may occur: 

Group Policy Does Not Disable All Windows Update Components
Microsoft Knowledge Base Article: 279006 - If the Group Policy setting that disables Windows Update functionality is enabled, the Windows Update link is removed from the Start menu, but Device Manager and Printer wizards still provide access to the Microsoft Windows Update Web site. 

Group Policy Hides Both Add/Remove Programs and Folder Options Tools for Roaming Profiles
Microsoft Knowledge Base Article: 296962 - After the Folder Options tool in Control Panel is hidden by using Group Policy, the Add/Remove Programs tool also disappears from Control Panel for users with roaming profiles, even though it is not restricted by a policy. 

Group Policy May Not Be Applied to Users Belonging to Many Groups
Microsoft Knowledge Base Article: 263693 - If a user is a member of many groups (the number of groups varies, but is around 70 to 80 groups) either directly or by membership in other groups, the Group Policy object (GPO) may not be applied to the user. 

Group Policy Not Applied with Many Domain Controllers in Domain
Microsoft Knowledge Base Article: 276516 - When you run Windows 2000 Professional as a member of a Windows 2000-based domain with many domain controllers, the application of Group Policy may not work. The most notable error is event 1001 by SceCli in the Application event log: (updated 4/24/2001) 

Group Policy for Slow Network Detection May Not Work as Expected in a LAN Environment
Microsoft Knowledge Base Article: 262324 - If the policy for a slow network connection for user profiles is enabled and the connection speed is set to 4,294,967,196 Kbps (maximum), the connection may not be treated as a slow connection in a LAN environment. 

Group Policy Snap-ins Display Many Different Languages
Microsoft Knowledge Base Article: 280113 - If you use a multilanguage version of Microsoft Windows 2000 and open a Group Policy snap-in to administer a domain with a different localized version than the one that you are using, you may see multiple languages displayed in the snap-in. 

Inconsistent Group Membership State after a Restricted Group Policy Is Enabled 
Microsoft Knowledge Base Article: 306100 - After you establish a Group Policy object (GPO) that defines restricted groups, and then apply the group policy, the resulting group membership on the destination computer may be incomplete.

Incorrect "Prevent Access to Drives from My Computer" Informational Message 
Microsoft Knowledge Base Article: 315191 - There is a documentation error in the Windows 2000 Professional and Windows XP Professional "Prevent access to drives from My Computer" group policy informational message. The informational message for this group policy incorrectly states: 

Media Folder Favorites Are Installed When Made Unavailable in Group Policy
Microsoft Knowledge Base Article: 272351 - When you add the Wmp.adm file to Administrative Templates in a Group Policy, and you choose the Do not install the default Windows Media Player Favorites in Media folder policy, the policy does not take effect 

Memory Leak When You Search for Group Policy Object Links 
Microsoft Knowledge Base Article: 310605 - When you use the Microsoft Management Console (MMC) to search for Group Policy object (GPO) links, memory may be leaked. You can find this memory leak in the Active Directory User and Computers snap-in if you click Properties for any GPO, and then click Find Now on the Links tab to search for links. The memory is released when you quit MMC. 

Mobile Synchronization Runs Continuously for Non-Administrator
Microsoft Knowledge Base Article: 273838 - If a group policy is used to assign a desktop item (by URL), Mobsync.exe runs repeatedly when a non-administrative user logs on, endlessly synchronizing the Web page for offline use. If an administrator logs on, Mobsync.exe runs only once. 

Organizational Unit Controller Cannot Edit Group Policy Objects
Microsoft Knowledge Base Article: 233548 - After you assign complete control of an Organizational Unit (OU) to a user or group using the Active Directory Users And Computers snap-in for Microsoft Management Console (MMC), that user or group may not be able to edit or create Group Policies (updated 9/25/2000)

Packages Assigned to Computers with Group Policy Are Not Installed
Microsoft Knowledge Base Article: 278472 - You can use Windows 2000 Group Policy objects (GPOs) to assign .msi packages to a group of Windows 2000 Professional-based workstations based on their membership in an organizational unit. When a workstation is rebooted and the computer policies are applied, the assigned programs may not be installed and the following error messages may be logged in the Application event log on the Windows 2000 Professional-based workstation:  

Policy Changing System Service Permissions Does Not Apply
Microsoft Knowledge Base Article: 257247 - When you implement service security settings in Group Policy, the Everyone group is granted Full Control by default. You may not want this setting for security purposes, however, when you use computer-based Group Policy to change permission, the policy may not be applied and there is no way to change permissions on the service 

Policy Restrictions on Drives Cause Unnecessary Error Message at Logon and in File Dialog Box
Microsoft Knowledge Base Article: 270037 - When the "Prevent access to drives from My Computer" policy is applied, you receive the following error message during the logon process: This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator. Also, when this policy is applied, you see the same error message twice if you click a drive in My Computer. 

Race Condition May Lead to Loss of Group Policy Changes
Microsoft Knowledge Base Article: 272560 - If you are deploying a program on a large number of domain controllers, and that program changes the default domain controller group policy for each computer on which that program is installed by using Microsoft Windows NT 4.0-style local security authority (LSA) application programming interface (API), when you later try to start the service on all of the computers, the account may not have the required privilege, and therefore the service may not start or may experience errors while the service is running. 

"Run Only Allowed Applications" List in Organizational Unit GPO Becomes Corrupted
Microsoft Knowledge Base Article: 263179 - If you add long file names in the "Run Only Allowed Applications" list in an organizational unit group policy, the list becomes corrupted after the total number of characters exceeds 1,024.

Screen Saver Assigned from Group Policy on Windows 2000 Does Not Work 
Microsoft Knowledge Base Article: 305357 - At your first logon to a Windows 2000 Professional-based computer to which a Windows 2000 Server-based computer has assigned a specific screen saver, the assigned screen saver may not work. The screen saver was assigned as part of a group policy for clients. 

Security Policy May Become Corrupted
Microsoft Knowledge Base Article: 290649 - A security group policy template may become empty or corrupted. 

Security Section of Group Policy Does Not Work if Domain Name Contains "inf"
Microsoft Knowledge Base Article: 292315 - If you have a domain that contains the string "inf" in the fully qualified domain name, such as info.gov, the security settings section of the Group Policy Object (GPO) may not work correctly. In addition, you may not be able to open the GPO "Security" section by using the MMC after you create a group policy.

Some Local Computer Policy Administrative Templates Do Not Work Properly
Microsoft Knowledge Base Article: 254331 - After an administrator uses the Group Policy snap-in to configure a local computer policy and enable various user policies (such as allowing users to make network configuration changes) under the "Network and Dial-up Connections" administrative templates, the policy may not work. 

A Security Policy Does Not Process Restricted Groups Correctly 
Microsoft Knowledge Base Article: 320099 - If you configure a restricted group by using Group Policy, the membership list is incomplete when the group is processed by the client. This problem is indicated by events from the SceCle and Userenv sources in the Application event log.

The Windows 2000 Group Policy to Disable Services Does Not Take Effect 
Microsoft Knowledge Base Article: 295687 - In Windows 2000, the Group Policy to disable "Services" does not take effect. 

Unexpected Results Occur If You Set File Security by Using Either Group Policy or Security Templates  
Microsoft Knowledge Base Article: 321470 - If you try to set file system permissions by using either Group Policy or security templates on files and folders that have Microsoft Windows NT 4.0-style Access Control Lists (ACLs), you may experience unexpected results.

User Must Be the Local (Domain) Administrator to Deploy .msi Package in GPO
Microsoft Knowledge Base Article: 262638 - When you give a user permission to edit a Group Policy object (GPO), they cannot deploy an .msi package to that GPO. 

Web Folders Unavailable When You Use the "Disable Programs on Settings Menu" Policy
Microsoft Knowledge Base Article: 267938 - When you are using the "Disable Programs on Settings menu" policy in Group Policy Objects (GPO) to prevent clients from viewing the