Solved

Group Policy Question

Posted on 2008-06-09
10
246 Views
Last Modified: 2010-05-18
In my domain i have a few OU containers where certain departments reside.  I have the users in those OU's and i only want to run the group policy assigned to that OU and not the DEFAULT DOMAIN POLICY.  However, i do want to run the default Domain Policy for the users that are in main OU.  Am i able to run the policy in the OU without having those same users run the default domain policy??  The issue i have is that there are 4 departments/companies that need different drive mappings and the container OU's appear to be running the scripts from both the Default Dom Policy and the OU Policy.  I am not very good with creating scripts either.  I limit my scripting to BAT files.  I hope i explained that clearly enough.  Any help is appreciated.  Thanks
0
Comment
Question by:prutter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 25 total points
ID: 21744472
Don't try moving the link on the Default Domain Policy. That policy is required and should always be linked to the root of the domain no matter what.

You CAN link different GPOs to different OUs so they will only apply to the user/computer objects which those OUs contain. If you want to restrict who the Default Domain Policy applies to, then move out the settings which need restricting to a new GPO and then use that GPO linked just to the necessary OUs.

-tigermatt
0
 
LVL 1

Accepted Solution

by:
David-SGC earned 50 total points
ID: 21744557
If your Domain Default is overwritting the settings in your OU policy, you can also set the no override attribute on the OU policy.  That will keep the settings that are applied in the OU specific policy intact when the default domain policy is applied.
This article might help you get going in the right direction with that.

http://www.setup32.com/resource-guides/windows-server-2003/group-policy-assignment-rsop.php
0
 
LVL 5

Assisted Solution

by:virtuatech
virtuatech earned 25 total points
ID: 21744655
Use gpmc.msi (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and navigate to the specific OU.  Right click on the OU and click "Block Inheritance".
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 25 total points
ID: 21747233
NO - do not start blocking inhertiance willy-nilly like this. Blocking policy inhertiance should be a last resort and its not needed in this case

Just create a policy for each OU  that maps the drives and link it to the appropriate OU
0
 

Author Comment

by:prutter
ID: 21748178
KCTS,

That is what i did with the OU's.  Each OU has different drive mappings but the OU's that are under the main domain aren't getting the correct mappings.  example

Default Dom Policy might have drive G mapped to \\server\apps

OU ADMIN should get G mapped to \\server\Admin based on the drive mapping in that OU.  Instead, ADMIN is getting G mapped to \\server \apps.  

Will no override stop that from happening??  
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21750735
The No Override Attribute should work.  This will keep upper level policies from overwriting conflicting settings.  The default domain policy settings will still be applied as long as they don't conflict with your OU policy setting.  Any settings left as NOT Configured in your OU policy will take on the setting of the higher level policy that has those setting configured.  

Pick one OU and test it out.
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21750751
KTCS is definately correct that you do not want to start blocking inheritance unless you have an absolute need for it.  That can cause real problems.
0
 
LVL 5

Expert Comment

by:virtuatech
ID: 21755608
Why not just create a separate GPO for the drive mapping?
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21813640
Any Feedback Prutter?
0
 

Author Comment

by:prutter
ID: 21865376
I found that the GP management consle still had security filtering that was enabled for both policies.  the users had rights to both policies and tha's why they were getting both mappings.  Thanks for all the help guys i really appreicate it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question