Solved

Server 2003 Active Directory How do I prevent the default domain policy from being applied to a new GPO I've created?

Posted on 2010-09-13
15
441 Views
Last Modified: 2012-05-10
I've inherited a Win Server 2003 Active Directory network with 1 domain controller.  The company has added a new division and so I have had to create a new GPO that will apply most of the existing default domain policy, however, members of this GPO need to be assigned different network drive mappings.  I have tried everything I can think of but this new GPO - titled SCH - still is inheriting the existing default domain policy network drive mappings.  Your expert help will be greatly appreciated.
0
Comment
Question by:NJJimInHI
  • 8
  • 4
  • 2
  • +1
15 Comments
 
LVL 12

Expert Comment

by:tgtran
ID: 33666991
1.  Solution 1 - create another OU for existing division and take away the drive mapping from default domain policy and assign mapping according to OU
2.  Block inheritance of default domain policy.  You may want to check out this thread about blocking inheritance
http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_20710120.html

0
 
LVL 70

Expert Comment

by:KCTS
ID: 33667067
You need to create a new OU for the new division and put the user accounts (and computers) for the new division into the new OU.

You can then link the new GPO directly to the new OU, it will then take precidence over the domain policy
0
 

Author Comment

by:NJJimInHI
ID: 33667111
tgtran:  I've tried what was advised in the link you provided in your Solution #2 and that did not work.  Perhaps I took the wrong steps, but I think not.  Could you please provide step-by-step instruction on applying the fix described in the link you provided?  (I tried that after viewing that exact EE solution, btw)

KCTS:  Pardon my ignorance, but I will try your suggestion, but will need step-by-step instructions for linking the OU I created to it's parent GPO.

Thank you both very much.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33667174
OK - I assume you have created the GPO in the Group Policy Management Console ?
Right click on the OU and select 'Link Existing GPO' and assign GPO directly to the new OU
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33667642
another option is to use security filtering, and only apply the gpo to a security group. The security group to be able to run the GPO would need read and execute permissions.
0
 

Author Comment

by:NJJimInHI
ID: 33667700
KCTS:  Yes, I created the GPO and it's child OU in the GPMC.  I already have the new OU linked to it's parent GPO and the default domain policy still is inherited.

chgshaitan:  How do I setup security filtering?
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33667718
hi NJ, it works similiar to windows permissions on files, have a look at the following link for a good explanation.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:NJJimInHI
ID: 33667945
chqshaitan:  Excellent article.  I'm halfway there now in that users in this group only have the H: drive to their personal folder on the server, which is part of what I want.  However, loginsch.bat is not running or being applied, and so these users are not getting another mapped network drive IO want them to have.  And I have configured the SCH GPO OU to run this batch file.  Not sure why it's not running.  Any thoughts?
0
 

Author Comment

by:NJJimInHI
ID: 33668304
Additional information:  I ran gpresult /z on the workstation that I'm testing with and I see that this GPO policy is not being applied.  I'm searching high and low for the answer, but having no luck.  Can anyone tell me why this specific GPO policy is not being applied when a member of this group logs in?
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33670507
Hi NJ,

I take it that the GPO is on a container that has users in? and that the login script is in the user configuration section of the GPO and not computer?

0
 

Author Comment

by:NJJimInHI
ID: 33676552
chqshaitan:  You are correct, at first I added only the group that the user belongs to Security Filtering, then later I added the specific users (3) to Security Filtering as well.  For some reason, this GPO policy is not being applied to the client at login.
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 33676815
mm weird, are the users who are not running the script in a deny group by any chance that could be being applied at logon?
0
 

Author Comment

by:NJJimInHI
ID: 33677223
No...and I don't even see this Group Policy in denied in the gpresults data
0
 

Author Comment

by:NJJimInHI
ID: 33677249
I'm also trying to just run a batch file for logon - no accompanying VBS script.  Will that work?
0
 

Accepted Solution

by:
NJJimInHI earned 0 total points
ID: 33678613
Finally figured out why this Group Policy was not being applied - I had to specifcally add the users to the OU from within Active Directory Users and Computers.  To do this I openned USERS in ADUAC, then selected the users I wanted this Group Policy to apply to, right clicked on the users and selected Move....From the list of objects I was presented with I chose the OU for this Group Policy and these users were moved into this object.  The Group Policy is now applied to these users upon login.  Thanks to all who offered there thoughts.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now