aprilmj
asked on
Default Domain Policy - blocking inheritance?
I have a default domain policy that works fine.
Trouble is that I want to block inheritance to ONE specific OU, let's call it test.
I've allowed the default domain policy to be set to override-allowed (didn't check 'no override')
I've set the "test" OU to block policy inheritance.
But the domain featureset stuff shows up anyway (message banner is the test I'm using - fairly painless).
I only have two computers in the test OU, and no users.
I also tried creating an 'empty' policy with no-override selected and applying it to the test OU.
No dice. I keep getting the message banner and proxy config settings that are part of the default domain policy.
Thoughts? Am I simply unable to block the default domain policy?
-aprilmj
Trouble is that I want to block inheritance to ONE specific OU, let's call it test.
I've allowed the default domain policy to be set to override-allowed (didn't check 'no override')
I've set the "test" OU to block policy inheritance.
But the domain featureset stuff shows up anyway (message banner is the test I'm using - fairly painless).
I only have two computers in the test OU, and no users.
I also tried creating an 'empty' policy with no-override selected and applying it to the test OU.
No dice. I keep getting the message banner and proxy config settings that are part of the default domain policy.
Thoughts? Am I simply unable to block the default domain policy?
-aprilmj
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have the policies taken effect try cmd: secedit /refreshpolicy machine_policy
It can take a while the policies to take effect.
Make sure the No Override is checked in the OU you don't want the Domain GPO to take effect on. Then you will need to reset those polocys in a GPO to override your domain polocy and do what you want for that OU's polocy. No Override does not set it to the default installed domain polocy so if you dont tell it to go away it will still be there.
It can take a while the policies to take effect.
Make sure the No Override is checked in the OU you don't want the Domain GPO to take effect on. Then you will need to reset those polocys in a GPO to override your domain polocy and do what you want for that OU's polocy. No Override does not set it to the default installed domain polocy so if you dont tell it to go away it will still be there.
Sorry let me restate No Override does not change the default installed domain policy unless you have one that is to the contrary.
ASKER
I need to find out how to make the default domain policy NOT apply to a given OU.
I don't want an alternative... I want it to NOT change things like the proxy config and the logon banner.
I'm not looking to have an alternative policy in place, I would prefer NO policy apply at all.
Could a lookback policy be used to stop the default domain policy? Or?
I cannot 'deny' via security for an OU... for users/groups/and computers, yes... but not OU's.
Waiting and refreshing the machine_policy even with a /enforce doesn't help.
Has anyone actually done this? Tried to keep a default domain policy from applying to an OU?
I don't want an alternative... I want it to NOT change things like the proxy config and the logon banner.
I'm not looking to have an alternative policy in place, I would prefer NO policy apply at all.
Could a lookback policy be used to stop the default domain policy? Or?
I cannot 'deny' via security for an OU... for users/groups/and computers, yes... but not OU's.
Waiting and refreshing the machine_policy even with a /enforce doesn't help.
Has anyone actually done this? Tried to keep a default domain policy from applying to an OU?
Yes you will need to have a default polocy in the OU and check the No Override option - working for me.
ASKER
Let me ask one more time:
Do you have a default domain policy configured to do anything special?
If so, what does it do, that you are sucessfully blocking further downstream in the OU?
Do you have a default domain policy configured to do anything special?
If so, what does it do, that you are sucessfully blocking further downstream in the OU?
Password policies
Check this might help http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7066
Cool glad you got it working and I was a helpfull..
Thanks it worked, in windows 2008R2 no override option has been renamed to 'Enforced', when you do right click to the GPO
ASKER