We have a GPO that is located in one OU per the GPO editor yet it is still applying to other OUs.  What could cause this to happen?

Posted on 2007-07-26
Last Modified: 2010-03-17
We have a GPO that is located in one OU per the GPO editor yet it is still applying to other OUs.  What could cause this to happen?
Question by:EMJTech
    LVL 11

    Expert Comment

    this can happen may be you can check if this is applied at the domain level.  or may be you can check if some one has changed some settings in the default domain policy.

    Hope this helps

    Author Comment

    how do i check to see if it is applied at the domain level?
    LVL 11

    Accepted Solution

    open group policy management and then expand the forest and then domain -> ur domain .com and then expand it and see if the policy is applied there or not.
    if not go once you expand your domian there will be somethng called group policy objects expand it and select it and on the right hand side check if it applied to the domain level or OU level.

    LVL 13

    Expert Comment

    Is the OU that the GPO being applied above the OU's that are in question?  If so, that's how it works unless you block inheritance of the policy.  

    Otherwise use the GPMC as kamalgopi states to see where the policy is linked.

    You can run gpresult on workstations which will tell you what policies are being applied, then use the GPMC to view/edit those policies.
    LVL 9

    Expert Comment

    Ditto the above.
    If you have installed the GPMC

    Click on the OU in question on the left,
    On the right you have a Group Policy Inheritance Tab,
    Select this tab,
    You will notice you have a Location field.
    This is what your interested in,
    This tells you where your polices are being applied from.
    It will show you if the GPO'S are being applied to the OU in question or if they are being inherited.

    As stated above if you dont want an inherited policy to be inherited from an OU above it, simply right click the OU that DOES NOT REQUIRE the GPO and select BLOCK INHERITANCE.

    If your a little reluctant to this, which is understandable,
    Simple create a brand new OU at the top level,
    then create a couple of OUs inside this test OU.
    Now apply a couple of existing GPOs or create some test ones and apply one to your top level ou and one to the lower level ou.

    Now check the Group Policy inheritance tab I mentioned above and you will see where they are being applied from.
    Now on your lower level test ou which is obviosly inside your upper level ou,
    right click the lower level ou and select block inheritance,
    now check the Group Policy Inheritance Tab.

    All OUs which have Block Inheritance selected on them can be identified by a Blue circle icon on them.

    Hope this helps and hasnt totally confused you.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now