Server 2003 Active Directory How do I prevent the default domain policy from being applied to a new GPO I've created?

I've inherited a Win Server 2003 Active Directory network with 1 domain controller.  The company has added a new division and so I have had to create a new GPO that will apply most of the existing default domain policy, however, members of this GPO need to be assigned different network drive mappings.  I have tried everything I can think of but this new GPO - titled SCH - still is inheriting the existing default domain policy network drive mappings.  Your expert help will be greatly appreciated.
NJJimInHIAsked:
Who is Participating?
 
NJJimInHIConnect With a Mentor Author Commented:
Finally figured out why this Group Policy was not being applied - I had to specifcally add the users to the OU from within Active Directory Users and Computers.  To do this I openned USERS in ADUAC, then selected the users I wanted this Group Policy to apply to, right clicked on the users and selected Move....From the list of objects I was presented with I chose the OU for this Group Policy and these users were moved into this object.  The Group Policy is now applied to these users upon login.  Thanks to all who offered there thoughts.
0
 
TG TranIT guyCommented:
1.  Solution 1 - create another OU for existing division and take away the drive mapping from default domain policy and assign mapping according to OU
2.  Block inheritance of default domain policy.  You may want to check out this thread about blocking inheritance
http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_20710120.html

0
 
Brian PiercePhotographerCommented:
You need to create a new OU for the new division and put the user accounts (and computers) for the new division into the new OU.

You can then link the new GPO directly to the new OU, it will then take precidence over the domain policy
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
NJJimInHIAuthor Commented:
tgtran:  I've tried what was advised in the link you provided in your Solution #2 and that did not work.  Perhaps I took the wrong steps, but I think not.  Could you please provide step-by-step instruction on applying the fix described in the link you provided?  (I tried that after viewing that exact EE solution, btw)

KCTS:  Pardon my ignorance, but I will try your suggestion, but will need step-by-step instructions for linking the OU I created to it's parent GPO.

Thank you both very much.
0
 
Brian PiercePhotographerCommented:
OK - I assume you have created the GPO in the Group Policy Management Console ?
Right click on the OU and select 'Link Existing GPO' and assign GPO directly to the new OU
0
 
chqshaitanCommented:
another option is to use security filtering, and only apply the gpo to a security group. The security group to be able to run the GPO would need read and execute permissions.
0
 
NJJimInHIAuthor Commented:
KCTS:  Yes, I created the GPO and it's child OU in the GPMC.  I already have the new OU linked to it's parent GPO and the default domain policy still is inherited.

chgshaitan:  How do I setup security filtering?
0
 
chqshaitanCommented:
hi NJ, it works similiar to windows permissions on files, have a look at the following link for a good explanation.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
NJJimInHIAuthor Commented:
chqshaitan:  Excellent article.  I'm halfway there now in that users in this group only have the H: drive to their personal folder on the server, which is part of what I want.  However, loginsch.bat is not running or being applied, and so these users are not getting another mapped network drive IO want them to have.  And I have configured the SCH GPO OU to run this batch file.  Not sure why it's not running.  Any thoughts?
0
 
NJJimInHIAuthor Commented:
Additional information:  I ran gpresult /z on the workstation that I'm testing with and I see that this GPO policy is not being applied.  I'm searching high and low for the answer, but having no luck.  Can anyone tell me why this specific GPO policy is not being applied when a member of this group logs in?
0
 
chqshaitanCommented:
Hi NJ,

I take it that the GPO is on a container that has users in? and that the login script is in the user configuration section of the GPO and not computer?

0
 
NJJimInHIAuthor Commented:
chqshaitan:  You are correct, at first I added only the group that the user belongs to Security Filtering, then later I added the specific users (3) to Security Filtering as well.  For some reason, this GPO policy is not being applied to the client at login.
0
 
chqshaitanCommented:
mm weird, are the users who are not running the script in a deny group by any chance that could be being applied at logon?
0
 
NJJimInHIAuthor Commented:
No...and I don't even see this Group Policy in denied in the gpresults data
0
 
NJJimInHIAuthor Commented:
I'm also trying to just run a batch file for logon - no accompanying VBS script.  Will that work?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.