Group Policy Inheritance?

[Chusan]

I'm getting conflicting info on how group policies get inherited within a domain policy (Parent to child).

Here's my simple situation: I have an OU and policy set that restricts users from locking thier computers (i.e. Remove Lock Computer is enabled). Works great. However I have created another OU and policy under that one that allows the locking of computers (i.e. I have set Remove Lock Computer to disabled). But, "Lock Computer" is still greyed out on the computers within that child policy. So, the parent policy overiding? If this is the case how can I make that child object override the parent if the same policy is set on both?

Thanks for any help.

 

[tfg13]

Remeber, the way policies are applied are Local, Site, Domain, and OU. Have you run RSOP.msc on one of the "offending" PC's to ensure that the OU policy is being applied? If not, you may want to start troubleshooting the OU policy, to ensure it is enforced. Make sure that the PC's or users are located in the OU, so on and so forth.

 

[monsterjta]

Policies from parent domain do not apply to any child domains. Seperate entity as far as policies are concerned. You will need to create new policies for each domain.

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[Chusan]

tfg13 - I know the policy is being applied because there is another policy set that is working fine. The difference is that the policy that is working is not set in the parent policy, the other one (lock computer) is conflicting with the parent policy.

monsterjta - These are all under the same domain, just different OU's.

 

[monsterjta]

Ah, I see. In this case, check the order of precedence on the OU that is not applying correctly. Make sure that the policy you want (allow lock computer) is higher in the list than the disallow lock computer policy.

You could also block inheretence of the unwanted GPO at the OU level, however, it's not wise to start configuring a bunch of block inheretence rules for the purpose of troubleshooting.

Or, enforce the desired GPO at the OU level.

Also, be sure that the groups you want to affect have the READ and APPLY attributes set on the GPO. Although, this probably is not the issue.

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[monsterjta]

If all else fails, uncheck the APPLY attribute for the unwanted GPO at the OU level. This will cause the GPO to be read but not applied to the OU or Group you define.

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[Chusan]

Thanks for the help. I actually ended up just going into the local policy through gpedit.msc and setting it there. That finally gave us the Lock Computer button back since I suppose the local policy trumps all domain policies. Nothing else seemed to work. The precedence was correct.

Anyway, thanks again.

 

[tfg13]

Actually, what that tells me is that the domain policies were not being applied to that OU. The precedence of the policies, and how they will be applied is Local, Site, Domain, and OU. What that means is that the domain policy will override the local policy. You may want to go back and look at how the policies were enforced.

 

[Chusan]

Okay, I'll check that. Thanks!

 

[monsterjta]

Yep, Local Policy is the first to get applied. ANY other CONFIGURED policy applied after that will take affect.

Hope This Helps,

Good Luck!

(I do what I can with what I know)