?
Solved

help with the order of processing AD GP's and local GPS

Posted on 2005-04-19
8
Medium Priority
?
245 Views
Last Modified: 2012-05-05
Hello,

Im my domain, users have 3 policies aplied. All 3 policies have set 'interactive login remind users 3 days before password expires'

There local GP though has this same value set to 14 days?? how is this happening? i thought local policy is applied first upon login and then domain policies applied.

Should i tick enforce on teh AD GP policies?

please advise

Thanks,

0
Comment
Question by:acetate
  • 5
  • 3
8 Comments
 
LVL 11

Accepted Solution

by:
elbereth21 earned 1500 total points
ID: 13823340
Policies are applied this way:
1)Local Machine Policies
2)Site group policies
3)Domain group policies
4)Organizational Unit group policies
and, unless you are using enforced/No override, the last settings applied are effective.
Remember though, that Security policies are applied at the domain level only and that local security policies are present on the machine even though they are ineffective as long as there is a Domain Security policy applied.
0
 

Author Comment

by:acetate
ID: 13829998
hello,

so does this mean i should tick enforce on the domain group or organizantial group policies in order to have there policies applied regardless?

0
 
LVL 11

Expert Comment

by:elbereth21
ID: 13831399
If I understand you correctly, your problem is that you have policies regarding those reminders applied to domain and you don't see them applied? This should not happen if your machines are joined to a domain, even if you do not set those policies as enforced. Just a question: when you say "Their local GP though has this same value set to 14 days" are you talking about local machine policy (as I believe) or are you saying that users of those PCs receive a reminder two weeks before the password expires?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:acetate
ID: 13832606
hello,

yes, the policys appear to have not applied, or have been overwritten. all machines are joined the the domain. The local GP of the pcs has 14 days on the value for password reminders. all domain and OU level AD GPs have 3 days?? this doesnt make any sense to me.

so im thinking of turning on enforcment at the domain level

any thoughts?
0
 
LVL 11

Expert Comment

by:elbereth21
ID: 13833103
You might try with enforced policies, anyway, before doing that, are you sure those users have at least "read and apply" right on those policies? Is it possible that some kind of filtering (based on some Windows groups) is applied?
After checking these settings turn on enforcement at the domain level, as you proposed.
0
 

Author Comment

by:acetate
ID: 13840028
i have jsut checked my servers. they have 2 values, one value is local settings, this value is at 14 days, the other is effective setttings, this is at 3 days.

which one does the server use in different senerios and why???

thanks
0
 
LVL 11

Expert Comment

by:elbereth21
ID: 13844060
I suggest you to follow this link:
http://www.oreilly.com/catalog/mwin2reg/chapter/ch07.html
and consider especially this explanation:
" The local GPO

Regardless of whether a computer is part of an Active Directory environment or operates as a standalone machine, every system running Windows 2000 stores exactly one local group policy object (LGPO).[1] The LGPO contains the primary policies for that computer and the users on it. For a standalone Windows 2000 machine, these are the only group policies the computer sees. When the computer is component of a site, domain, or organization unit, nonlocal GPOs join and take precedence over the LGPO. If there's a conflict between LGPO policy settings and settings from the more influential nonlocal GPOs, the LGPO settings are overwritten.

    TIP:  

    GPO Rule #1: since local settings are applied first, they're always overwritten by settings in inherited nonlocal GPOs.  "

As I stated in my first post, the last applied settings are always the "winning" ones, so the fact you see two values on your local policies is not  a problem: you have to look at the values marked as "effective". If unjoined your servers from the domain, local policies would take precedence; if instead you log on locally with a local account (such as local administrator), while being joined to a domain, you'll see applied domain policies for Computer Configuration, BUT local policies for User Configuration. This behaviour stems from the fact that domain group policies related to computer configuration are applied BEFORE a user logs in.

I hope I explained in a reasonably clear way this concept, which is not that simple. Anyway, feel free to ask if you have doubts.
0
 
LVL 11

Expert Comment

by:elbereth21
ID: 13916772
Sorry to bug you acetate, but I do not understand this B grade: could you possibly explain it?
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question