• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 293
  • Last Modified:

Applying Group Policy Correctly

This is planned information just want to check if it will work before I do it.
Directory information:

CompanyWeb.Local (Domain) W2k3ent

 -->Workstations (OU)
       -->Mobile (OU)
       -->Remote (OU)
       -->Special (OU)

Ok, My Question, I have several WinXP(SP2) Clients that are placed between these 4 OU's. Now each of these OU's have different Group Policies applied to them. I have the policy to regulate similar settings applied to (excuse the NDS terminiology just stopped working for a company that used that and now with one that uses 2k3 and AD) Workstations.Companyweb.local. Now where I am not sure how this will work comes with the OU .Special.Workstations.CompanyWeb.local where as the policy in the Workstations has require CTRL-ALT-DEL to logon as enabled Clients in the Special (OU) need to have that as disabled. Now what I need to make sure is that All settings from the first Policy will be passed into Workstations in .special. but that the few settings in .special. Policy will override the settings of the first.

 My solution on how to do this is to just check the No Override in the Policy options but I wanted to make sure that it is only going to block ones that are explicity different and not block all settings from the Parent.
2 Solutions
if you block inheritance you will block the entire policy.

i think your best bet would be to have an additional policy with your special settings

if you use security filtering, you can block users in any OU applying the group policy, and then with your smaller policy containing the special settings, let them apply it, and disable the other users from applying it


so basicall you would have two policies on an OU, one gets denied apply for certain users and then your other policy kicks in, of which the other users are denied on

make sense?
So far, so good.

You can simply reverse the CTRL+ALT+DEL requirement on the GPO attached to the Special OU.  The GPO closest to the object applies last and as long as the policy that sets this requirement further up the tree is not being enforced then it will simply use the last setting applied.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now