GPO Messed up 1

[NerdTop72]

I have a windows 2000 domain, 2000 & XP clients. I have been testing out a new GP for a new OU and only 1 user is located in that OU. All my other users are located in the default Users OU in AD. Anyways... some users seem to be processing the Folder Redirection part of my New OU's GP? Upon logoff of my normal users on 1 XP machine it saves the data in my Desktop redirection folder? I checked group permission of this user called PLC and it doesn’t have any of the new GPO groups listed. Also here is my GP result for that XP Client...

Applied Group Policy Objects
-----------------------------
DSTUpdate

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Default Domain Policy
Filtering: Disabled (GPO)

Default Domain Policy
Filtering: Disabled (GPO)

Local Group Policy
Filtering: Not Applied (Empty)

Applied Group Policy Objects
-----------------------------
2007UserTest

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Default Domain Policy
Filtering: Disabled (GPO)

Default Domain Policy
Filtering: Disabled (GPO)

Local Group Policy
Filtering: Not Applied (Empty)

DSTUpdate
Filtering: Not Applied (Empty)


The 2007UserTest GP is only assigned to my new OU? It is getting applied even though my user that is logging in part of a different policy. I did test out this client XP machine by logging into the user that is applied to the new OU... that’s when it started to happen.

Any Ideas on how to remove this policy? Is there a setting somewhere that doesn’t force this OU's policy on other clients?

Thanks

 

[markdmac]

What do you have set on the new GPO's security settings tab? Which users & groups are in the list? At what place in your AD did you apply the GPO?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[NerdTop72]

In the security setting I have
Administrators group
Enterprise Admins group
Redirect Test Group
System

The Group Policy is set in my OU called GRO Test
Inside the OU there is the Redirect test group and
The test user GPOTest

if i right click on my Domain name in AD users and Computers and go to the group policy tab I have
Default Domain Policy which has a red X through it and another policy called DSLUpdate the 2 columns "No Overide" and "Disabled" have no check marks under them. Block policy inheritance is not checked either.

I have a Windows 2000 AD services book and it does not go into detail about making GPO's in OU's or even these other properties like "No Overide", "Disabled", or "Block Policy inhearitance" can anyone explain to me how this would work?

Thanks

 

[markdmac]

In the security setting I have
Administrators group
Enterprise Admins group
Redirect Test Group
System

But what options are checked? Near the bottom is Apply Group Policy. Verify it is checked.


"No Overide" = GPOs that follow can't change the settings in this policy.

"Disabled" = Policy exists and has settings but they will not be applied to anything.

"Block Policy inhearitance" - Do not allow GPOs higher in the structure to apply to the OU.


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[NerdTop72]

Thanks markdmac, your information has been helpful!

 

[markdmac]

So was "Apply Policy" not checked?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[NerdTop72]

I had my main domain group policy turned off, since we have no settings it decreased the time our roaming profile logins would take. I’m guessing that since there is no default domain policy active, when I logged onto the XP machined with a test GPO it over wrote my User config and my Machine config to the XP box. When I logged in as a different that has no policy the previous GPO stayed in place since there wasn’t any being applied to overwrite... Am I correct in saying this?

Anyways Apply group policy is checked in my default domain policy and my test group OU policy. The default domain policy is disabled in the properties
Disable Computer Configuration
Disable User Configuration

 

[markdmac]

Upper level policies will be applied first. If No Override is selectred ont hem then those settigns apply no matter what. If a lower policy conflicts with an upper policy it will overwrite the settings.

You can block inherritance as well to prvent upper level polices from affecting you.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.