Solved

What am I missing when I apply a GPO at an organizational level that doesn't take affect.

Posted on 2004-10-20
6
292 Views
Last Modified: 2012-06-27
Our PDC is a Win2K Server and I am using Active Directory.  I can apply GPOs to the Domain level successfully, however when I apply a GPO at an organizational level it does not take affect.

First, I created an OU: Under Active Directory Users and Computers, and under Groups, I selected Action from the toolbar and then New and Organizational Unit.  The name of this OU is GIS.

To apply a GPO I right clicked on the OU GIS, selected Properties and then the Group Policy tab.  I then selected the New button and named our GPO NORun. I then double clicked the NoRun GPO and selected User Configuration/Administrative Templates/Start Menu & Taskbar/Remove Run Menu from Start Menu, where I selected Enable from the properties.

Next I selected the OU GIS and right clicked to select New and Group.  The name of this new Global Security Group is GISEMP.  The next step was to double click the GISEMP group and select the members tab.  Using the Add button I selected user names to add and clicked OK.

When I login on the client, the policy has not taken affect. I used the GPResult.exe troubleshooting tool & the policy does not show as being implemented on the client?

Am I missing a step?
0
Comment
Question by:ttri
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 12364438
Hi ttri,

You need to put the users or computers in the GIS OU for GPO to be applied to those objects. Group ojects aren't effected by GPO, dispite by the name of GPO's, which would make you think that how it would work.

The reason GPO are working on the Domain level is that it's being applied to the computer and user objects in you AD tree in any OU by default.

Hope that helps
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
ID: 12364773
Because the users are not in the OU you are trying to edit youu're not going to have any luck.

Either move the users or move the GPO. You can apply the GPO by group by changing the security on the object to prevent the GPO applying to everyone else.

from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The easiest method is to remove (uncheck Allow) both the Read and Allow Group Policy ACEs for the group. Another method involves removing the Allow Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Allow Group Policy ACE to Deny for groups of users that do not require the policy.

Warning  Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs and ACEs, see Access Control.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366215
There is another way; Simply add the group to the security tab of the GPO, and set the read and apply.
However, this circumvents the reson for using the OU, which is to make overall administration easier.
Good Luck
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12366256
casca that is part of what I posted, you just missed the important bit where it says to remove the "authenticated users" access
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366296
Sorry, wasn't trying to overpost you! I swear it! 8-)
Lord knows I tend to skim...
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366312
And yes, I did skim your response; Had to re-read (skim) to see it... Silly me...
But, all I was after was to point out the OU  wasn't the only place it can be applied (obvious) and that the OU had a much broader capability, thus encouraging the best practice method. 8-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now