Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy link order/precedence issue

Status
Not open for further replies.
disturbedone

disturbedone

Vendor
Sep 28, 2006
781
AU
I have an issue where 2 GPOs with the same, differing, setting appears to cause a conflict. To simplfiy the scenario imagine these are the only 2 GPOs. They are used to deny access to logon to UserA & UserB. Certain OUs require UserA to be denied, certain OUs require UserB to be denied and certain OUs require both to be denied. Here's the settings...

GPO1\Computer Configuration\Windows Settings\Security Settings\Local Polices\User Rights Assigment\Deny access to this computer from the network (Setting = DOMAIN\UserA

GPO2\Computer Configuration\Windows Settings\Security Settings\Local Polices\User Rights Assigment\Deny access to this computer from the network (Setting = DOMAIN\UserB

OU1 requires both users be denied and has GPO1 with Link Order 1 and GPO2 with Link Order 2. This denies UserA from logging on but UserB is still allowed to logon. Reversing the Link Order changes which can logon. Between tests I run gpupdate to refresh the policy.

One option would be to create GPO3, add both users to this GPO and apply it to an OU that requires both users be denied. Then only apply GPO1/GPO2 to OUs that only require one being denied. But that's only if that's the only solution. I thought that GPOs with differing settings combined to give a "total" effective setting that would be applied.

Thoughts??
 
Sort by date Sort by votes
I just read that back and realised it doesn't make sense! ;)

The conflicting GPOs cannot "assumulate" as such and one has to take presedence, hence the ability to do that. I'll have to make a 3rd GPO and include both users then link it to the appropriate OUs.

But confirmation from someone else would be nice. If there's another way around it I'd be interested to know.
 
Upvote 0 Downvote
Hi Disturbedone, took me a while to make sense of that as well ;)
As you say in your second post, policies don't merge if the setting is set in both, whichever policy is at place "1" in the presedence order in GPMC will apply.
A good tool, if you haven't seen it already in either to Group Policy results from within GPMC.msc or run RSOP.msc on the server that the policy applies to. This will show you what policies should be applied based on what OU's your user and computer objects are in.
As for another way to do what you're doing, there probably sint a more efficient way. The only thing I woul dpersonally do is create a group called something like grp-DenyAccess and add both users in to it. and in GPO, deny permission to that group. if you need to deny more users in future, you can add them to the group rather than messing about with your policies

Paul

Paul Thomas
Important IT
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
456
araheusaff
araheusaff
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
525
pomazip
pomazip
telecotek1
  • Locked
  • Question
strange DNS issue
Replies
1
Views
237
telecotek1
telecotek1
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
174
DrB0b
DrB0b
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
238
rrmcguire
rrmcguire

Part and Inventory Search

Sponsor

Back
Top