Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO settings

Status
Not open for further replies.

rrevuru

IS-IT--Management
Sep 23, 2004
37
US
Hello:

I have single domain in single site in single forest.

Under my domain name i created a OU with GROUPS,under GROUPS i have child OU with names,STAFF,MANAGEMENT,

Whatever GPO i set for the child OU are not getting enforced.

But if i set the same GPO at DOMAINROOT it is getting enforced.

No OVerriding(Is not checked IN) for GPO in child OU
Block Inheritances ( is not checked in)for GPO in child OU

No OVerriding(Is not checked IN) for GPO in Domain ROOT
Block Inheritances ( is not checked in)for GPO in Domain ROOT


IT is driving nuts.

Please someone has to help me
 
Have you checked RSOP.msc? This will help in troubleshooting your issues.

Also, this is straight from Microsoft at:

If a parent organizational unit has policy settings that are not configured, the child organizational unit does not inherit them. Policy settings that are disabled are inherited as disabled. In addition, if a policy setting is configured (enabled or disabled) for a parent organizational unit and the same policy setting is not configured for a child organizational unit, the child inherits the parent's enabled or disabled policy setting.

Clear as mud?
 
I am having the same problem. Which version of server are you running? I am running 2003 Standard. I have never had this problem with 2003 Enterprise. Does the rsop show what you think it should?
 
I am running Win2003 Standard, and RSOP does show me what I think it should. I cannot speak for rrevuru, as haven't seen a response yet. RSOP has always worked for me, and helps me figure out what else I need to do.
 
ktmrandy:

I am running windows 2003 Enterprise edition. I dont know how to anaylse the RSoP.
But there is a tool in
Start
Help and Support
Support
Advance System Configuration
View GPO applied

I ran this utility.and didnot understand much, but after going through the report,all i can say is Local Group Policy is getting applied ? maybe/.

Any thoughts?

 
At the bottom of the page that shows the Advanced system Information Policy, Group Policy results for your server you will find the rsop tool. Or you can hit run them MMC then add the rsop to the MMC and run it. I have not found the problem yet but the rsop shows the gpo for the domain but not for the local ou I have created.
 
I solved my problem. I had this misunderstood. If I get this right the gpo only applies to the users in the ou. You can have nexted ou's which will receive the gpo through inheritance, but you cannot put a group in an ou and have the gpo apply to the users in that group. The users have to be in the ou.
 
ktmrandy:

But that will duplicate the entries of users? Say for example User X is a part of "MANAGEMENT OU" and EXECUTIVE OU"

Do you mean to say that i have to create two instances of user X in each OU? Please explain?

Thanks,
 
I am new to this so I certainly do not have all the answers but if you set up the ou as nested then you have one GPO for the higher ou then have another more specific gpo of the nested ou. User X can only be in one ou. Either Management or Executive but not both. I would set up the Executive ou, then nest the Management ou in that. The GPO for the Executive ou can be broad with wide powers or abibities then the gpo for the Management gpo will inherit the gpo from the Executive gpo. If you want the Management GPO to be more restrictive it will only affect the users in the management ou. The gpo will not affect groups but you can use groups to restrict the gpo. In you first email create the groups ou, then nest a management ou, then nest a staff ou. The gpo for groups will affect the users in the groups ou and management ou and the staff ou.
 
rrevuru:
what gpo settings are you trying to apply? some can only be done at the domain level (password & security settings)

someone had a similar problem: check this thread see if it helps...
thread931-981697

Aftertaf (david)
MCSA 2003
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top