Group Policy Question

In my domain i have a few OU containers where certain departments reside.  I have the users in those OU's and i only want to run the group policy assigned to that OU and not the DEFAULT DOMAIN POLICY.  However, i do want to run the default Domain Policy for the users that are in main OU.  Am i able to run the policy in the OU without having those same users run the default domain policy??  The issue i have is that there are 4 departments/companies that need different drive mappings and the container OU's appear to be running the scripts from both the Default Dom Policy and the OU Policy.  I am not very good with creating scripts either.  I limit my scripting to BAT files.  I hope i explained that clearly enough.  Any help is appreciated.  Thanks
Who is Participating?
David-SGCConnect With a Mentor Commented:
If your Domain Default is overwritting the settings in your OU policy, you can also set the no override attribute on the OU policy.  That will keep the settings that are applied in the OU specific policy intact when the default domain policy is applied.
This article might help you get going in the right direction with that.
tigermattConnect With a Mentor Commented:
Don't try moving the link on the Default Domain Policy. That policy is required and should always be linked to the root of the domain no matter what.

You CAN link different GPOs to different OUs so they will only apply to the user/computer objects which those OUs contain. If you want to restrict who the Default Domain Policy applies to, then move out the settings which need restricting to a new GPO and then use that GPO linked just to the necessary OUs.

virtuatechConnect With a Mentor Commented:
Use gpmc.msi ( and navigate to the specific OU.  Right click on the OU and click "Block Inheritance".
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Brian PierceConnect With a Mentor PhotographerCommented:
NO - do not start blocking inhertiance willy-nilly like this. Blocking policy inhertiance should be a last resort and its not needed in this case

Just create a policy for each OU  that maps the drives and link it to the appropriate OU
prutterAuthor Commented:

That is what i did with the OU's.  Each OU has different drive mappings but the OU's that are under the main domain aren't getting the correct mappings.  example

Default Dom Policy might have drive G mapped to \\server\apps

OU ADMIN should get G mapped to \\server\Admin based on the drive mapping in that OU.  Instead, ADMIN is getting G mapped to \\server \apps.  

Will no override stop that from happening??  
The No Override Attribute should work.  This will keep upper level policies from overwriting conflicting settings.  The default domain policy settings will still be applied as long as they don't conflict with your OU policy setting.  Any settings left as NOT Configured in your OU policy will take on the setting of the higher level policy that has those setting configured.  

Pick one OU and test it out.
KTCS is definately correct that you do not want to start blocking inheritance unless you have an absolute need for it.  That can cause real problems.
Why not just create a separate GPO for the drive mapping?
Any Feedback Prutter?
prutterAuthor Commented:
I found that the GP management consle still had security filtering that was enabled for both policies.  the users had rights to both policies and tha's why they were getting both mappings.  Thanks for all the help guys i really appreicate it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.