Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Group Policy Question

Posted on 2008-06-09
10
Medium Priority
?
253 Views
Last Modified: 2010-05-18
In my domain i have a few OU containers where certain departments reside.  I have the users in those OU's and i only want to run the group policy assigned to that OU and not the DEFAULT DOMAIN POLICY.  However, i do want to run the default Domain Policy for the users that are in main OU.  Am i able to run the policy in the OU without having those same users run the default domain policy??  The issue i have is that there are 4 departments/companies that need different drive mappings and the container OU's appear to be running the scripts from both the Default Dom Policy and the OU Policy.  I am not very good with creating scripts either.  I limit my scripting to BAT files.  I hope i explained that clearly enough.  Any help is appreciated.  Thanks
0
Comment
Question by:prutter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 75 total points
ID: 21744472
Don't try moving the link on the Default Domain Policy. That policy is required and should always be linked to the root of the domain no matter what.

You CAN link different GPOs to different OUs so they will only apply to the user/computer objects which those OUs contain. If you want to restrict who the Default Domain Policy applies to, then move out the settings which need restricting to a new GPO and then use that GPO linked just to the necessary OUs.

-tigermatt
0
 
LVL 1

Accepted Solution

by:
David-SGC earned 150 total points
ID: 21744557
If your Domain Default is overwritting the settings in your OU policy, you can also set the no override attribute on the OU policy.  That will keep the settings that are applied in the OU specific policy intact when the default domain policy is applied.
This article might help you get going in the right direction with that.

http://www.setup32.com/resource-guides/windows-server-2003/group-policy-assignment-rsop.php
0
 
LVL 5

Assisted Solution

by:virtuatech
virtuatech earned 75 total points
ID: 21744655
Use gpmc.msi (http://www.microsoft.com/windowsserver2003/gpmc/default.mspx) and navigate to the specific OU.  Right click on the OU and click "Block Inheritance".
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 75 total points
ID: 21747233
NO - do not start blocking inhertiance willy-nilly like this. Blocking policy inhertiance should be a last resort and its not needed in this case

Just create a policy for each OU  that maps the drives and link it to the appropriate OU
0
 

Author Comment

by:prutter
ID: 21748178
KCTS,

That is what i did with the OU's.  Each OU has different drive mappings but the OU's that are under the main domain aren't getting the correct mappings.  example

Default Dom Policy might have drive G mapped to \\server\apps

OU ADMIN should get G mapped to \\server\Admin based on the drive mapping in that OU.  Instead, ADMIN is getting G mapped to \\server \apps.  

Will no override stop that from happening??  
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21750735
The No Override Attribute should work.  This will keep upper level policies from overwriting conflicting settings.  The default domain policy settings will still be applied as long as they don't conflict with your OU policy setting.  Any settings left as NOT Configured in your OU policy will take on the setting of the higher level policy that has those setting configured.  

Pick one OU and test it out.
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21750751
KTCS is definately correct that you do not want to start blocking inheritance unless you have an absolute need for it.  That can cause real problems.
0
 
LVL 5

Expert Comment

by:virtuatech
ID: 21755608
Why not just create a separate GPO for the drive mapping?
0
 
LVL 1

Expert Comment

by:David-SGC
ID: 21813640
Any Feedback Prutter?
0
 

Author Comment

by:prutter
ID: 21865376
I found that the GP management consle still had security filtering that was enabled for both policies.  the users had rights to both policies and tha's why they were getting both mappings.  Thanks for all the help guys i really appreicate it.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question