Solved

Server 2003 Active Directory How do I prevent the default domain policy from being applied to a new GPO I've created?

Posted on 2010-09-13
15
446 Views
Last Modified: 2012-05-10
I've inherited a Win Server 2003 Active Directory network with 1 domain controller.  The company has added a new division and so I have had to create a new GPO that will apply most of the existing default domain policy, however, members of this GPO need to be assigned different network drive mappings.  I have tried everything I can think of but this new GPO - titled SCH - still is inheriting the existing default domain policy network drive mappings.  Your expert help will be greatly appreciated.
0
Comment
Question by:NJJimInHI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 2
  • +1
15 Comments
 
LVL 12

Expert Comment

by:tgtran
ID: 33666991
1.  Solution 1 - create another OU for existing division and take away the drive mapping from default domain policy and assign mapping according to OU
2.  Block inheritance of default domain policy.  You may want to check out this thread about blocking inheritance
http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_20710120.html

0
 
LVL 70

Expert Comment

by:KCTS
ID: 33667067
You need to create a new OU for the new division and put the user accounts (and computers) for the new division into the new OU.

You can then link the new GPO directly to the new OU, it will then take precidence over the domain policy
0
 

Author Comment

by:NJJimInHI
ID: 33667111
tgtran:  I've tried what was advised in the link you provided in your Solution #2 and that did not work.  Perhaps I took the wrong steps, but I think not.  Could you please provide step-by-step instruction on applying the fix described in the link you provided?  (I tried that after viewing that exact EE solution, btw)

KCTS:  Pardon my ignorance, but I will try your suggestion, but will need step-by-step instructions for linking the OU I created to it's parent GPO.

Thank you both very much.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 70

Expert Comment

by:KCTS
ID: 33667174
OK - I assume you have created the GPO in the Group Policy Management Console ?
Right click on the OU and select 'Link Existing GPO' and assign GPO directly to the new OU
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33667642
another option is to use security filtering, and only apply the gpo to a security group. The security group to be able to run the GPO would need read and execute permissions.
0
 

Author Comment

by:NJJimInHI
ID: 33667700
KCTS:  Yes, I created the GPO and it's child OU in the GPMC.  I already have the new OU linked to it's parent GPO and the default domain policy still is inherited.

chgshaitan:  How do I setup security filtering?
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33667718
hi NJ, it works similiar to windows permissions on files, have a look at the following link for a good explanation.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 

Author Comment

by:NJJimInHI
ID: 33667945
chqshaitan:  Excellent article.  I'm halfway there now in that users in this group only have the H: drive to their personal folder on the server, which is part of what I want.  However, loginsch.bat is not running or being applied, and so these users are not getting another mapped network drive IO want them to have.  And I have configured the SCH GPO OU to run this batch file.  Not sure why it's not running.  Any thoughts?
0
 

Author Comment

by:NJJimInHI
ID: 33668304
Additional information:  I ran gpresult /z on the workstation that I'm testing with and I see that this GPO policy is not being applied.  I'm searching high and low for the answer, but having no luck.  Can anyone tell me why this specific GPO policy is not being applied when a member of this group logs in?
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33670507
Hi NJ,

I take it that the GPO is on a container that has users in? and that the login script is in the user configuration section of the GPO and not computer?

0
 

Author Comment

by:NJJimInHI
ID: 33676552
chqshaitan:  You are correct, at first I added only the group that the user belongs to Security Filtering, then later I added the specific users (3) to Security Filtering as well.  For some reason, this GPO policy is not being applied to the client at login.
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33676815
mm weird, are the users who are not running the script in a deny group by any chance that could be being applied at logon?
0
 

Author Comment

by:NJJimInHI
ID: 33677223
No...and I don't even see this Group Policy in denied in the gpresults data
0
 

Author Comment

by:NJJimInHI
ID: 33677249
I'm also trying to just run a batch file for logon - no accompanying VBS script.  Will that work?
0
 

Accepted Solution

by:
NJJimInHI earned 0 total points
ID: 33678613
Finally figured out why this Group Policy was not being applied - I had to specifcally add the users to the OU from within Active Directory Users and Computers.  To do this I openned USERS in ADUAC, then selected the users I wanted this Group Policy to apply to, right clicked on the users and selected Move....From the list of objects I was presented with I chose the OU for this Group Policy and these users were moved into this object.  The Group Policy is now applied to these users upon login.  Thanks to all who offered there thoughts.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question