Link to home
Start Free TrialLog in
Avatar of NJJimInHI

asked on

Server 2003 Active Directory How do I prevent the default domain policy from being applied to a new GPO I've created?

I've inherited a Win Server 2003 Active Directory network with 1 domain controller.  The company has added a new division and so I have had to create a new GPO that will apply most of the existing default domain policy, however, members of this GPO need to be assigned different network drive mappings.  I have tried everything I can think of but this new GPO - titled SCH - still is inheriting the existing default domain policy network drive mappings.  Your expert help will be greatly appreciated.
Avatar of TG Tran
TG Tran
Flag of United States of America image

1.  Solution 1 - create another OU for existing division and take away the drive mapping from default domain policy and assign mapping according to OU
2.  Block inheritance of default domain policy.  You may want to check out this thread about blocking inheritance

Avatar of Brian Pierce
You need to create a new OU for the new division and put the user accounts (and computers) for the new division into the new OU.

You can then link the new GPO directly to the new OU, it will then take precidence over the domain policy
Avatar of NJJimInHI


tgtran:  I've tried what was advised in the link you provided in your Solution #2 and that did not work.  Perhaps I took the wrong steps, but I think not.  Could you please provide step-by-step instruction on applying the fix described in the link you provided?  (I tried that after viewing that exact EE solution, btw)

KCTS:  Pardon my ignorance, but I will try your suggestion, but will need step-by-step instructions for linking the OU I created to it's parent GPO.

Thank you both very much.
OK - I assume you have created the GPO in the Group Policy Management Console ?
Right click on the OU and select 'Link Existing GPO' and assign GPO directly to the new OU
another option is to use security filtering, and only apply the gpo to a security group. The security group to be able to run the GPO would need read and execute permissions.
KCTS:  Yes, I created the GPO and it's child OU in the GPMC.  I already have the new OU linked to it's parent GPO and the default domain policy still is inherited.

chgshaitan:  How do I setup security filtering?
hi NJ, it works similiar to windows permissions on files, have a look at the following link for a good explanation.
chqshaitan:  Excellent article.  I'm halfway there now in that users in this group only have the H: drive to their personal folder on the server, which is part of what I want.  However, loginsch.bat is not running or being applied, and so these users are not getting another mapped network drive IO want them to have.  And I have configured the SCH GPO OU to run this batch file.  Not sure why it's not running.  Any thoughts?
Additional information:  I ran gpresult /z on the workstation that I'm testing with and I see that this GPO policy is not being applied.  I'm searching high and low for the answer, but having no luck.  Can anyone tell me why this specific GPO policy is not being applied when a member of this group logs in?
Hi NJ,

I take it that the GPO is on a container that has users in? and that the login script is in the user configuration section of the GPO and not computer?

chqshaitan:  You are correct, at first I added only the group that the user belongs to Security Filtering, then later I added the specific users (3) to Security Filtering as well.  For some reason, this GPO policy is not being applied to the client at login.
mm weird, are the users who are not running the script in a deny group by any chance that could be being applied at logon?
No...and I don't even see this Group Policy in denied in the gpresults data
I'm also trying to just run a batch file for logon - no accompanying VBS script.  Will that work?
Avatar of NJJimInHI

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial