We have a GPO that is located in one OU per the GPO editor yet it is still applying to other OUs. What could cause this to happen?

We have a GPO that is located in one OU per the GPO editor yet it is still applying to other OUs.  What could cause this to happen?
Who is Participating?
kamalgopiConnect With a Mentor Commented:
open group policy management and then expand the forest and then domain -> ur domain .com and then expand it and see if the policy is applied there or not.
if not go once you expand your domian there will be somethng called group policy objects expand it and select it and on the right hand side check if it applied to the domain level or OU level.

this can happen may be you can check if this is applied at the domain level.  or may be you can check if some one has changed some settings in the default domain policy.

Hope this helps
EMJTechAuthor Commented:
how do i check to see if it is applied at the domain level?
Is the OU that the GPO being applied above the OU's that are in question?  If so, that's how it works unless you block inheritance of the policy.  

Otherwise use the GPMC as kamalgopi states to see where the policy is linked.

You can run gpresult on workstations which will tell you what policies are being applied, then use the GPMC to view/edit those policies.
Ditto the above.
If you have installed the GPMC

Click on the OU in question on the left,
On the right you have a Group Policy Inheritance Tab,
Select this tab,
You will notice you have a Location field.
This is what your interested in,
This tells you where your polices are being applied from.
It will show you if the GPO'S are being applied to the OU in question or if they are being inherited.

As stated above if you dont want an inherited policy to be inherited from an OU above it, simply right click the OU that DOES NOT REQUIRE the GPO and select BLOCK INHERITANCE.

If your a little reluctant to this, which is understandable,
Simple create a brand new OU at the top level,
then create a couple of OUs inside this test OU.
Now apply a couple of existing GPOs or create some test ones and apply one to your top level ou and one to the lower level ou.

Now check the Group Policy inheritance tab I mentioned above and you will see where they are being applied from.
Now on your lower level test ou which is obviosly inside your upper level ou,
right click the lower level ou and select block inheritance,
now check the Group Policy Inheritance Tab.

All OUs which have Block Inheritance selected on them can be identified by a Blue circle icon on them.

Hope this helps and hasnt totally confused you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.