Solved

What am I missing when I apply a GPO at an organizational level that doesn't take affect.

Posted on 2004-10-20
6
298 Views
Last Modified: 2012-06-27
Our PDC is a Win2K Server and I am using Active Directory.  I can apply GPOs to the Domain level successfully, however when I apply a GPO at an organizational level it does not take affect.

First, I created an OU: Under Active Directory Users and Computers, and under Groups, I selected Action from the toolbar and then New and Organizational Unit.  The name of this OU is GIS.

To apply a GPO I right clicked on the OU GIS, selected Properties and then the Group Policy tab.  I then selected the New button and named our GPO NORun. I then double clicked the NoRun GPO and selected User Configuration/Administrative Templates/Start Menu & Taskbar/Remove Run Menu from Start Menu, where I selected Enable from the properties.

Next I selected the OU GIS and right clicked to select New and Group.  The name of this new Global Security Group is GISEMP.  The next step was to double click the GISEMP group and select the members tab.  Using the Add button I selected user names to add and clicked OK.

When I login on the client, the policy has not taken affect. I used the GPResult.exe troubleshooting tool & the policy does not show as being implemented on the client?

Am I missing a step?
0
Comment
Question by:ttri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 12364438
Hi ttri,

You need to put the users or computers in the GIS OU for GPO to be applied to those objects. Group ojects aren't effected by GPO, dispite by the name of GPO's, which would make you think that how it would work.

The reason GPO are working on the Domain level is that it's being applied to the computer and user objects in you AD tree in any OU by default.

Hope that helps
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
ID: 12364773
Because the users are not in the OU you are trying to edit youu're not going to have any luck.

Either move the users or move the GPO. You can apply the GPO by group by changing the security on the object to prevent the GPO applying to everyone else.

from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The easiest method is to remove (uncheck Allow) both the Read and Allow Group Policy ACEs for the group. Another method involves removing the Allow Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Allow Group Policy ACE to Deny for groups of users that do not require the policy.

Warning  Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs and ACEs, see Access Control.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366215
There is another way; Simply add the group to the security tab of the GPO, and set the read and apply.
However, this circumvents the reson for using the OU, which is to make overall administration easier.
Good Luck
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12366256
casca that is part of what I posted, you just missed the important bit where it says to remove the "authenticated users" access
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366296
Sorry, wasn't trying to overpost you! I swear it! 8-)
Lord knows I tend to skim...
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366312
And yes, I did skim your response; Had to re-read (skim) to see it... Silly me...
But, all I was after was to point out the OU  wasn't the only place it can be applied (obvious) and that the OU had a much broader capability, thus encouraging the best practice method. 8-)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question