Solved

Group Policy Question

Posted on 2008-06-09
10
204 Views
Last Modified: 2010-05-18
In my domain i have a few OU containers where certain departments reside.  I have the users in those OU's and i only want to run the group policy assigned to that OU and not the DEFAULT DOMAIN POLICY.  However, i do want to run the default Domain Policy for the users that are in main OU.  Am i able to run the policy in the OU without having those same users run the default domain policy??  The issue i have is that there are 4 departments/companies that need different drive mappings and the container OU's appear to be running the scripts from both the Default Dom Policy and the OU Policy.  I am not very good with creating scripts either.  I limit my scripting to BAT files.  I hope i explained that clearly enough.  Any help is appreciated.  Thanks
0
Comment
Question by:prutter
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 25 total points
ID: 21744472
Don't try moving the link on the Default Domain Policy. That policy is required and should always be linked to the root of the domain no matter what.

You CAN link different GPOs to different OUs so they will only apply to the user/computer objects which those OUs contain. If you want to restrict who the Default Domain Policy applies to, then move out the settings which need restricting to a new GPO and then use that GPO linked just to the necessary OUs.

-tigermatt
0
 
LVL 1

Accepted Solution

by:
David-SGC earned 50 total points
ID: 21744557
If your Domain Default is overwritting the settings in your OU policy, you can also set the no override attribute on the OU policy.  That will keep the settings that are applied in the OU specific policy intact when the default domain policy is applied.
This article might help you get going in the right direction with that.

http://www.setup32.com/resource-guides/windows-server-2003/group-policy-assignment-rsop.php
0
 
LVL 5

Assisted Solution

by:virtuatech
virtuatech earned 25 total points
ID: 21744655
Use gpmc.msi (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and navigate to the specific OU.  Right click on the OU and click "Block Inheritance".
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 25 total points
ID: 21747233
NO - do not start blocking inhertiance willy-nilly like this. Blocking policy inhertiance should be a last resort and its not needed in this case

Just create a policy for each OU  that maps the drives and link it to the appropriate OU
0
 

Author Comment

by:prutter
ID: 21748178
KCTS,

That is what i did with the OU's.  Each OU has different drive mappings but the OU's that are under the main domain aren't getting the correct mappings.  example

Default Dom Policy might have drive G mapped to \\server\apps

OU ADMIN should get G mapped to \\server\Admin based on the drive mapping in that OU.  Instead, ADMIN is getting G mapped to \\server \apps.  

Will no override stop that from happening??  
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 1

Expert Comment

by:David-SGC
ID: 21750735
The No Override Attribute should work.  This will keep upper level policies from overwriting conflicting settings.  The default domain policy settings will still be applied as long as they don't conflict with your OU policy setting.  Any settings left as NOT Configured in your OU policy will take on the setting of the higher level policy that has those setting configured.  

Pick one OU and test it out.
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21750751
KTCS is definately correct that you do not want to start blocking inheritance unless you have an absolute need for it.  That can cause real problems.
0
 
LVL 5

Expert Comment

by:virtuatech
ID: 21755608
Why not just create a separate GPO for the drive mapping?
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21813640
Any Feedback Prutter?
0
 

Author Comment

by:prutter
ID: 21865376
I found that the GP management consle still had security filtering that was enabled for both policies.  the users had rights to both policies and tha's why they were getting both mappings.  Thanks for all the help guys i really appreicate it.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now