Group-Policy and Inheritence

Similar Messages

• Group Policy and GroupWise Attachments

  My company uses the "Run only allowed Windows Applications" feature from Group Policy to lock down what can be run on our workstations. We have 2 main policies, a standard (lockdown) policy and an admin (open) policy.
  Ever since a 7.0.2 GroupWise client/server upgrade, under my lockdown policy some of my users have complained that when they click the attachment button in GroupWise it no longer goes to the location of the last attached document, instead it goes to a default location. It might be the D drive, the GroupWise directory, it changes from computer to computer. I have confirmed that this is the behavior of the lockdown policy, and when I switch to the open policy the attachment button goes to the previous attachment location as is expected.
  I've placed addrbook.exe, grpwise.exe, gwmailto.exe, gwreload.exe, gwsync.exe and notify.exe in my allowed list for executables and can't figure out what I might be missing. In the past I ahve found OCX and DLL files that have had to be specifically added to the policies as well to get certain functions to work, is it possible that this may be the case in my situation or could it be a completely different policy that I should be looking at?
  I'm getting ready to push the 8.0.2 clients to my users and this is something that I'd like to try to resolve before I do that push. Thanks!

  I just tore apart my group policy and found that using the Hide These Specific Drives and hiding the C: drive is what is causing this attachment behavior issue. Any ideas why it is causing this and any possible work arounds other than unhiding the C: drive?

• How can I deploy EFS using Group Policy and automatically encrypt computers for ALL users who login?

  How can I deploy EFS using Group Policy and Active Directory with a goal to automatically encrypt computers for ALL users who login? (NOT an option for me to use BitLocker)
  I was asked to deploy EFS to encrypt the user my documents folder and profile on all of the users laptops. The laptops are in common areas (board meeting rooms, etc) and security of files is a must.
  I successfully created a recovery certificate in AD. I created an OU and setup an EFS policy and users can now login and select to encrypt their own files. The issue is that management would like to have automaticy Encrypt ALL users my documents AUTOMATICALLY
  when a user login.
  Can this be done?
  Please help

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• MSI Package Software Installations and uninstallations by group policy and sccm

  Hi,
              I have a domain comprising approx. 30 ADCs, 5000 clients and 50 OUs. Our developers have created a c# Program for fetching some information from client machines and displaying them on their
  screen on bootup (presence of 2 particular softwares, antivirus presence and its update date, OS patches updation etc... ). This program(.msi) and .net framework 4.0 is required to be pushed to all client machines. We have SCCM server through which we can
  push software to be installed on clients. There are no. of ADCs for controlling different sites and OUs. Now I need to push this msi and .net framework to all clients. Dotnet  framework I pushed from SCCM & it is successful.
  Till today I have pushed this .MSI package using Group policy software installation settings using a local sharepath & sysvol.
  In Local Share path , MSI source is availbale at only one ADC and all clients  contact this adc only to install software and its taking very long time to boot.
  Using Sysvol share path , MSI Source is available at All ADC and All Clients Contact their Site's ADC to install software.Only Win 7, win 8 machines are getting install and software is  not able to install on XP and vista machine. What might be the
  problem for xp machine getting it from sysvol path?
  The error for XP machines is that Sysvol path is not accessible/ source is not available.
     Now I need to have some other fullproof method to apply it. How I need to push this .MSI packages to all sites (ADCs) in my child domain from my PDC.
     I want to know the steps & methods for installing & uninstalling this .MSI package using Group policy and SCCM as well.
     Thanks for replying...

  Hi,
  Based on your description, I want to confirm whether we have more than one domain. If we have more than domain, it is suggested that we can push the
  MSI package from each domain.
  Regarding how to use Group Policy to remotely install software, the following article can be referred to for more information.
  How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
  http://support.microsoft.com/kb/816102/en-us#method1
  In addition, you also mentioned how to use SCCM to do this, in order to get better assistance, we can ask help in the following SCCM forum.
  System Center Configuration Manager
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/home
  Best regards,
  Frank Shen

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Group Policy and Windows 8.1 questions

  I have a few group policy questions. Thanks in advance for taking a look.
  I’ve downloaded the Win 8.1/Server 2012 ADMX files. They look to  be the same file names as the Win 7 ADMX files. Can I copy them into the  PolicyDefinitions folder and still be able create GPOs for either win 7 or Win  8?
  If we use a windows 8.1 client with the GPO mmc to create the GPOs (instead of putting the ADMX files on the servers), will the GPO built from the win 8.1 client apply correctly even though its coming down from a DC that doesn’t have those ADMX files?
  Does it make a difference if the win 8.1 client we use to create/edit the GPOs is x64 or x86?
  We recently needed to add in an admx file for Lync 2013. I put the lync.admx file in the PolicyDefinitions folder on one DC. If we build the GPO from that server, when it replicates out to all the other DCs, does it matter that they don’t have that particular
  ADMX file for lync?
  How do we organize and structure our ADMX files wherever they end up so that we know which sets are for which operating system? Should we be thinking about deleting the Win 7 ADMX files when the point comes in the future that we are using only Windows 8
  and Windows 9?
  We are at AD functional level 2003. Do we need to go up in level for any of this to work?

  >  1. I’ve downloaded the Win 8.1/Server 2012 ADMX files. They look to  be
  >     the same file names as the Win 7 ADMX files. Can I copy them into
  >     the  PolicyDefinitions folder and still be able create GPOs for
  >     either win 7 or Win  8?
  Yes. Simply overwrite and you'll be fine.
  >  2. If we use a windows 8.1 client with the GPO mmc to create the GPOs
  >     (instead of putting the ADMX files on the servers), will the GPO
  >     built from the win 8.1 client apply correctly even though its coming
  >     down from a DC that doesn’t have those ADMX files?
  Yes. GPO processing doesn't need ADMX, only GPO editing needs them.
  >  3. Does it make a difference if the win 8.1 client we use to
  >     create/edit the GPOs is x64 or x86?
  No.
  >  4. We recently needed to add in an admx file for Lync 2013. I put the
  >     lync.admx file in the PolicyDefinitions folder on one DC. If we
  >     build the GPO from that server, when it replicates out to all the
  >     other DCs, does it matter that they don’t have that particular ADMX
  >     file for lync?
  If you have a central store for your ADMX, it will automatically
  replicate through all DCs. If not, "2." applies anyway.
  >  5. How do we organize and structure our ADMX files wherever they end up
  >     so that we know which sets are for which operating system? Should we
  >     be thinking about deleting the Win 7 ADMX files when the point comes
  >     in the future that we are using only Windows 8 and Windows 9?
  If you use a central store, update it as required. If not, do nothing
  and use a client with the OS version you want to target.
  >  6. We are at AD functional level 2003. Do we need to go up in level for
  >     any of this to work?
  AD level doesn't matter in any aspect. Schema version matters (Bitlocker
  and Wireless, eg...), but you can update the Schema easily to 2012 and
  have your DCs still run Server 2003.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Hit with Virus that executed via PowerShell Scripting. Can I disable Powershell on my network via Group Policy and what implications does that have for me.

  Our network was hit recently with virus previously unknown, O97M.Crigent.  It is a nasty Macro virus that targets Microsoft Office Documents & Spreadsheets and uses a combination of Macros and Scripts via Powershell. 
  How do I disable PowerShell scripting via Group Policy?
  Will this raise any issues such as random application or network failures or other issues?
  Can I apply it to the entire domain or should I be selective and only apply it to the workstations?
  Network Summary: Windows 2008 Active Directoy Server, 75% Windows 7, 25% Windows XP workstations.
  DouglasOfSanMarcos

  Disabling Windows PowerShell can be done with GPO:
  Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell
  From GPO Description: "This setting exists under both "Computer Configuration" and "User Configuration" in the group policy editor. The "Computer Configuration" has precedence over "User Configuration."
  By default this option is restricted any way on computers.
  I would be very selective when apply it at all:
  Workstations - I would apply to test group of workstations first, just to see that there are no side effects before applying to all computers. 
  Server - I wouldn't apply it at all. I have seen too many issues when setting this policy on Exchange and other systems.
   If you are using a Group Policy to define a PowerShell logon, logoff or computer script, that script will disregard any execution policy set locally or through a GPO.
  http://4sysops.com/archives/set-powershell-execution-policy-with-group-policy/
  http://technet.microsoft.com/en-us/library/hh849812.aspx
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• Group Policy and shortcuts

  ok imagine there is a company "x" that has a group policy which allows certain softwares to be executed  . In one department of this company , employs uses a certain program called "y" . One employ create a shortcut of this program
  on the desktop and when he tries to open it , a error message comes out which tell him that a policy which allows certain softwares is in use . Can someone explain to me what happened ? I know the group policy which allows certain softwares is in use but if
  he can use the program why he cant use the shortcut ? :/ 

  Am 04.02.2014 11:47, schrieb KristAlbania:
  > One employ create a shortcut of this program on the desktop and when he
  > tries to open it , a error message comes out which tell him that a
  > policy which allows certain softwares is in use .
  AppLocker or SRP? AppLocker has an event log that will tell you what
  exactly was blocked...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Pushing Printers through Group Policy and Windows 8.1

  I'l looking for help with an issue our organization is having.  We are pushing out our printers through Group Policy on our Windows 2012 server.  We setup a printer security group, then setup the printer on the print server (not shared).  We
  then created a policy under User Configuration\Preferences\Control Panel Settings\Printers\ to then do item level targeting.  We then add that security group to the PC we want to get that printer.  This works with our Windows 7 systems.  Windows
  8.1 on the other hand just has a hard time getting these policies.  
  My question is, is there a certain way you have to deploy printers with Windows 8.1?  We would like to deploy printers going the user configuration route because that way the print jobs have to be pushed to the print server.  Deploying them though
  Computer Configuration doesn't give us that option.
  Any help is greatly appreciated!

  The security group for the printer has multiple computers added to it but only the Windows 7 systems seem to get the policy applied.  Attached is a screen shot(s) of how we currently have it setup.
  https://drive.google.com/file/d/0B3Z5p22SZgFlODJqVVFxOXFFUHM/view?usp=sharing

• Group policy and access connections?

  Is it possible to disable this option:
  Control Panel -> Lenovo Internet connection -> Switch to advanced -> tools tag -> global settings -> allow wifi to be turned off when inactive (disable)
  I already tried with the acplgin50.exe -> Tvtacad.adm but I don't have the option.

  Try going back to AC 4.52, which solved the problems i was having with AC5.02 (freezes, BSOD, loss of wireless connections when coming out of standby, GUI problems) on Vista Home Premium.  Scroll down for prevous versions of AC5.02 here:
  http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-67283
   I do not use a VPN system so AC4.52 may not help your 3500 Thinkpads.
  Lenovo (Mark_Lenovo) knows there are problems with AC5.02 for the last three (or more ) months and have stated that AC 5.1 will solve the problems, but it has not been released as far as I know. There are many threads on AC5.02 on this forum and also on thinkpads.com
  the Lenovo Blog site also has an update on AC5.02 ;under "Design Matters" on how they selected the graphics for wireless connections - the responses there offer some suggestions to fix the problems. 
  T60: 6371-CTO, VISTA Home Premium+SP1, 2GB....R51: 1836-Q4U,XP,1GB...600...755CD

• How do I setup Active Directory and Group Policy on Windows Server 2012?

  I work for a school district that uses a Windows 2012 server with about 400 Windows 7 PCs and 150 Mac PCs. We are set up with Roaming Profiles on the PCs and would like to be able to setup Active Directory, Group Policy, and Roaming Profiles on our macs. (We also have a mac server that they are using as a file server only) As we are a school, our funds are very low. Now for the questions...
  Is there a software that allow us to accomplish this?
  Is there a free solution or a very reduced price option to do this?
  I heard that http://www.centrify.com/products/mac-edition.asp may accomplish this and I read something about it on here but didn't know if this is what I was really trying to do becuase it was marked as "The Golden Triangle" and did not mention Raoming Profiles. This is the link though: https://discussions.apple.com/message/17200059#17200059
  Any help would be greatly appreciated.

  The above reply does not take into account that I am trying to use GROUP POLICY EDITOR to make it the default browser.

• Need help in setting up Group Policy for same user in local system and Terminal server

  Hi All,
  Currently our remote users are using our network using VPN client over internet.
  They are generally at their home computer and doing VPN as they have to work only in one RDP server for application.
  We actually have a OU created for these RDP users and assign then some strict policy like they can not use any other .exe,they can not user any explorer ,they can not even use windows explorer when they are on RDP they just use one exe of their application.
  Now what my management want is they want their home computers in Domain and want them to login via their same credentials they are using for RDP but they don't want them to restrict in their home computers with any strict policy.
  Now my confusion is how can I configure different policies for same users or same OU.
  Can any one guide me please...

  you can achieve this fairly easily with group policy.
  create an OU and put your remote desktop servers in that OU.
  configure both user and computer policies in a group policy and link it to that ou.
  you need to enable loopback mode - you may want it in merge or replace depending on your other policies you have. Probably replace though I would guess. this is set in the computer configuration > admin templates > system / group policy section.
  now remove the policy you have currently setup for your users on the users OU containing the rdp users. If you want you can move these users back to your main users OU.
  when your users login to the RDP server the settings in the user section of the GPO linked to the RDP Servers OU will apply.
  when the user logs in to their own computer the policies from the user OU and computer OU will apply - but not the more restrictive RDP OU.
  hope that makes sense.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Script to override Group policy (Disable Addins and change default file type)

  Hi there,
  I am developing a solution for our customer that requires Office 2010 64-bit, which I have.
  However my company's group policy, (I believe), keeps adding in a template manager for corporate documents, this template is 32-bit and is incompatible with my version of office. This means that everytime I open or close excel I get a warning of incompatibility.
  This is irritating, as is the fact that the default new file type keeps switching back of xls, which causes me problems since my macro's need to create xlsx files, for the customer.
  Now I believe that both of these are set by the group policy and while they a fine for most people, due to my unusual roll, it causes me irritations I would would rather avoid.
  Since I know it will not be possible to change the group policy for the handful of people who are effected like this, I am looking for some help to, e.g. automatically run a script to adjust these settings on my local machine to make my life easier.
  Thanks for your help,
  Vincent.

  Try using
  Process Monitor for looking the key.
  For example, you may set the required value through the group policy and see what windows registry keys are changed.

• Pix 515 and group-policy

  Hello,
  how many group-policy can I configure on PIx 515E with release 7.x?
  Thanks in advance
  B.

  The number of group-policy is important for me because I've many vpn-client sessions that refer to only one vpn-group.
  By radius I authenticate the user and I send to pix the name of group policy that contains the specific address-pool and the split-tunneling acl.
  In this way I can associate per-user the address-pool and the split-acl.
  The best way would be to have only one group-policy and to send by radius the name of addrress pool and the name of split acl but the pix seems no support these parameters.
  Thanks B

• Adobe Reader & Acrobat 6~9 Group Policy ADM file (only applied once?)

  Hi folks. I created the below ADM template last month based on some of the ones I have seen elsewhere. I import the ADM file to use with Group Policy and make the necessary settings (need to uncheck "Only show policy settings that can be fully managed" to see it in GPO Editor).
  Anyway, when the user logs on it stamps them with the desired registry setting (bEnableJS value 0). Yay! But I notice that if a user re-enables JavaScript in Adobe Reader/Acrobat and then logs off and back on again (reboot or logoff/on) the registry setting does not get re-applied. All other pre-existing Group Policies get applied and doing a gpresult or rsop.msc has everything looking as though it did get applied.
  I notice that if I manually do a "gpupdate /force" to a logged on system the setting appears to be reapplied (need to reconfirm this though). Has anyone expierienced similar with their ADM templates for this? Perhaps I am missing something? Appreciate any help/advice.
  ; Administrative Template to enable/disable Javascript of Adobe Acrobat/Reader 6.x~9.x
  ; Version 1.0
  ; 2010/1/22
  CLASS USER
  CATEGORY !!Adobe_Acrobat_Reader_6-9
      POLICY !!JavaScript_Reader_9.x
      EXPLAIN !!JavaScript_Reader_9.x_help   
          KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_9.x
      EXPLAIN !!JavaScript_Acrobat_9.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Reader_8.x
      EXPLAIN !!JavaScript_Reader_8.x_help
          KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_8.x
      EXPLAIN !!JavaScript_Acrobat_8.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Reader_7.x
      EXPLAIN !!JavaScript_Reader_7.x_help
          KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_7.x
      EXPLAIN !!JavaScript_Acrobat_7.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Reader_6.x
      EXPLAIN !!JavaScript_Reader_6.x_help
          KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
      POLICY !!JavaScript_Acrobat_6.x
      EXPLAIN !!JavaScript_Acrobat_6.x_help
          KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs"
          PART "Enable/Disable JavaScript:" DROPDOWNLIST
              VALUENAME "bEnableJS"
          ITEMLIST
              NAME !!JavaScript_Enabled VALUE NUMERIC 1
              NAME !!JavaScript_Disabled VALUE NUMERIC 0 DEFAULT
          END ITEMLIST
          REQUIRED
          END PART
      END POLICY
  END CATEGORY
  [strings]
  Adobe_Acrobat_Reader_6-9="Adobe Acrobat and Reader 6 to 9"
  JavaScript_Reader_9.x="JavaScript Adobe Reader 9.x"
  JavaScript_Reader_9.x_help="Enable/Disable JavaScript in Adobe Reader 9.x"
  JavaScript_Acrobat_9.x="JavaScript Adobe Acrobat 9.x"
  JavaScript_Acrobat_9.x_help="Enable/Disable JavaScript in Acrobat Acrobat 9.x"
  JavaScript_Reader_8.x="JavaScript Adobe Reader 8.x"
  JavaScript_Reader_8.x_help="Enable/Disable JavaScript in Adobe Reader 8.x"
  JavaScript_Acrobat_8.x="JavaScript Adobe Acrobat 8.x"
  JavaScript_Acrobat_8.x_help="Enable/Disable JavaScript in Acrobat Acrobat 8.x"
  JavaScript_Reader_7.x="JavaScript Adobe Reader 7.x"
  JavaScript_Reader_7.x_help="Enable/Disable JavaScript in Adobe Reader 7.x"
  JavaScript_Acrobat_7.x="JavaScript Adobe Acrobat 7.x"
  JavaScript_Acrobat_7.x_help="Enable/Disable JavaScript in Acrobat Acrobat 7.x"
  JavaScript_Reader_6.x="JavaScript Adobe Reader 6.x"
  JavaScript_Reader_6.x_help="Enable/Disable JavaScript in Adobe Reader 6.x"
  JavaScript_Acrobat_6.x="JavaScript Adobe Acrobat 6.x"
  JavaScript_Acrobat_6.x_help="Enable/Disable JavaScript in Acrobat Acrobat 6.x"
  JavaScript_Enabled="JavaScript Enabled"
  JavaScript_Disabled="JavaScript Disabled"

  Hey, what you have described is normal behaviour for the way you have written your Custom ADM file.
  Because you are not using Proper Windows Policies, i.e. Setting them in the policy location in the registry, then once you apply a setting, it will not get over written again ever unless you made a group policy change or do a gpupdate.
  Normal group policies will get re-applied depending on the time frame set in the policy its self.