Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

GPO Links

Posted on 2006-04-10
18
Medium Priority
?
308 Views
Last Modified: 2010-04-18
Hi experts I have a network with 2003 server running, I have AD and have configured a number of OU's I have a student OU and in that OU I have All the Grades 8-9-10 etc
I have configured policies on the root student OU and individual policies on each grade as to programs and printers scripts etc. Is this the appropriate way to roll this out?  I cannot get the GPO to take effect. The password policy is set to not lock out users in the student policy but it is set in the default domain policy to lock users out. If I check enforced will the default policy take effect and only the changes on that OU policies take effect. thanks I will give good points for this as  will no doubt have to clarify this a bit.
0
Comment
Question by:fessiambre
  • 8
  • 5
  • 4
  • +1
18 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 16420238
You should check enforced on your OU level policy that prevents the lockout.  If you enforce the DDP which is set to lock people out then conflicting settings from other GPOs will not take affect.  Note that if you enforce both of these policies the DDP GPO will win.
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16420271
You set the "structure" right, but the Password policy ONLY takes effect at the domain level.  You cannot specify it differently for other OUs, etc.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16421410
TheCleaner is correct here, just a little vague.

Account Policies are controlled exclusively from the Default Domain Policy and cannot be blocked or overridden.  Keep in mind that this policy controls Domain accounts only.  Any local account can be controlled independently of the domain policy since you are using the local SAM for authentication.



0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 51

Expert Comment

by:Netman66
ID: 16421420
I should add this :  you can only have one (1) Account policy in the domain.  If your Forest has multiple domains then each domain can have a different policy.


0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16421511
Yep...like Netman66 says, I should be more concise on my answers.

Basically the password/account policies the author has set on the default domain policy will be used throughout the domain, you won't be able to change this for other computers/users in that domain.


As far as the actual structure is that you are using, looks good to me.

I usually set up GPOs so that common tasks/settings are associated to a single GPO, and that GPO is applied as needed.

I tend to create GPOs like this so that I can change just that GPO if something changes.  I don't like the idea of a default domain policy doing much of anything, and the only things I set in there are things I know will never change (or take an act of congress practically to get changed).
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16421522
Agreed.
0
 

Author Comment

by:fessiambre
ID: 16422309
I appreciate the prompt responses. I thank you for the clarity on the password problem. I still however have the script problem it a basic batch command script it just runs a net use for the printer and a net use for a shared file. the command runs on the client but it gives an error that says

'\\DomainSchool.local\SysVol\AspengroveSchool.local\Policies\{4E784B66-74BC-
4DDC-8403-55C25FFB16A3}\User\Scripts\Logon'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

C:\WINDOWS>net use t: \\server.domainschool.local\student share
please help
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16422342
That's a normal error.

Where are you calling the script from?



0
 
LVL 51

Expert Comment

by:Netman66
ID: 16422374
You can fix it here, but you shouldn't see it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;156276

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16422387
Are you calling it here:?

User Configuration\Windows Settings\Scripts(Logon/Logoff)

0
 

Author Comment

by:fessiambre
ID: 16422422
I am assigning it from the logon in the student OU
 It is assigned from the group policy
user config-
                scripts
                          logon
 I then browsed for the script and clicked on it. printer.bat  
it is a two line net use command
net use g: \\server\share
net use lpt1: \\server\printer
0
 

Author Comment

by:fessiambre
ID: 16422475
Should I use the GPO or the standard script locals?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 800 total points
ID: 16422909
You should be placing the script in this location:

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon

This should be called from Group Policy and I think you have the correct element:

User Configuration>Windows Settings>Scripts(Logon/Logoff)>Logon

...and this GPO should be linked only to the OU where the Users are located that will require this script.



0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16426625
Can you show us what the entire batch file you are trying to run is?
0
 

Author Comment

by:fessiambre
ID: 16429954
cleaner this is what I have
it says access denied,  all users have full control is it the legacy issues?
net use g: \\server\shared folder
net use LPT : \\server\printer
0
 

Author Comment

by:fessiambre
ID: 16430037
the policy is working but the script for the student is only partially working printer will not map or 1 of the shares
0
 
LVL 23

Assisted Solution

by:TheCleaner
TheCleaner earned 1200 total points
ID: 16430341
1.  Do all users you are trying to run this against have rights to the share in question?
2.  Are they possibly already mapping G to something?

you may do something like:

net use g: /del
net use LPT1: /del


in the first part of your batch file to clear out any existing mappings to them.

Otherwise you can use vbscript instead:

Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "G:", "\\SERVER\share"

Set objPrinter = CreateObject("WScript.Network")
objPrinter.AddWindowsPrinterConnection "\\server\printer."


0
 
LVL 51

Expert Comment

by:Netman66
ID: 16431829

net use LPT : \\server\printer

Is this exactly right?  You are missing "1" from LPT
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Screencast - Getting to Know the Pipeline
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question