Group Policy Inheritance Windows 2000 AD

Posted on 2006-05-01
Last Modified: 2010-04-13
Here is what I am trying to do...

I have 2 OU's one called test and a child OU called test2.

I want to be able to set a global standard of users who can login to all machines located in and below test, but I also want to also add specific users who can login to all machines located in test 2. So

Is this possible?:

    -> Windows Settings
         -> Security Settings
             -> Local Policies
                 -> User Rights Assignments
                      -> Logon Locally
                          -> Domain Admins, Group A
       TEST 2
           -> Windows Settings
              -> Security Settings
                 -> Local Policies
                    -> User Rights Assignments
                        -> Logon Locally
                            -> Johnny B

So what I am wanting is a way to have it with the setup above and Domain Admins, Group A, and Johnny B can all login to systems located in Test 2. Basically we have 10 Sites that are setup as OU's and we want to be able to add users that can login to all sites without having to go into each sites specific GP and edit each policy.

May sense?

Question by:jeremywatco
    LVL 48

    Accepted Solution

    Hi jeremywatco,

    as long as test2 is a SUB OU of test, then policies set on TEST2 will hold, but you are overwriting TEST settings

    remember LSDOU
    Local - Site - Domain - OU   that is the order of which policies apply    last applied wins

    i would create an additional group and add johny to it, then add him on test policy


    Author Comment

    Thanks for the fast response... I figured as much, that it would be overwritten.. is there any way around this. Here is my situation.. I have 20 remote offices and at each office there is are certain users that have the right to login, but also we have area managers that need the right to login to any of the machines at any office, so i was hoping for an easy solution as opposed to going through all 20 GP's and adding the new group.
    LVL 48

    Expert Comment

    there is a no override policy setting available but i am pretty sure it does exactly that, prevents overriding it......

    you know, if you have an xp client you can use the Group Policy Management Console for heaps more power over Group Policy... you can link and copy etc....

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now