Hemachandran
asked on
Enforced GPO
We have an enforced site level group policy and we trying to over ride one perticular settings in this enforced site policy with an enforced OU level GPO and it doesn't work.
As per the order Child OU level policy should have precedence over site level policy since both are enfoced. But in our case always the enforced site level policy wins over enforced child ou level policy. Do any one knows how is the order of enforced policies ...
As per the order Child OU level policy should have precedence over site level policy since both are enfoced. But in our case always the enforced site level policy wins over enforced child ou level policy. Do any one knows how is the order of enforced policies ...
What does it show when you run Group Policy Modeling, or Group Policy Results?
Within the Group policy console, if you click on Group Policy Modeling, you can select the individual user, or container, and the individual computer, and container, and have it run the tests.
Then you can see which policies are being applied, and which policies are winning, and which are being denied.
Make sure that you are not trying to apply user settings to a computer container, or computer settings to a user... while that works when trying to apply settings to a higher level object (say Default Domain Policy) that has within its containers both users and computers - if you are trying to target GPO settings, you must be specific.
You can also "Block Inheritance" on that container, to see if your policies will then take effect.
Regards,
Joel
Within the Group policy console, if you click on Group Policy Modeling, you can select the individual user, or container, and the individual computer, and container, and have it run the tests.
Then you can see which policies are being applied, and which policies are winning, and which are being denied.
Make sure that you are not trying to apply user settings to a computer container, or computer settings to a user... while that works when trying to apply settings to a higher level object (say Default Domain Policy) that has within its containers both users and computers - if you are trying to target GPO settings, you must be specific.
You can also "Block Inheritance" on that container, to see if your policies will then take effect.
Regards,
Joel
ASKER
Hi Jmoody10,
So the Enforced policy doesn't work the same order Site->Domain->Ou->Child OU. I couldnt find any document on how it works when we have a site enforced policy and a ou enforced policy. But in practical we have seen site enforced policy taking presedence over ou while in non enforced policies it would be other way.
We are trying our best to limit enfoced policy this is only for a test in whihc we have to over ride the Site level enforced policy on a specific ou. On the site level we have enfoced the policy to avoid getting some policies from our remote head office related to SUS.
So the Enforced policy doesn't work the same order Site->Domain->Ou->Child OU. I couldnt find any document on how it works when we have a site enforced policy and a ou enforced policy. But in practical we have seen site enforced policy taking presedence over ou while in non enforced policies it would be other way.
We are trying our best to limit enfoced policy this is only for a test in whihc we have to over ride the Site level enforced policy on a specific ou. On the site level we have enfoced the policy to avoid getting some policies from our remote head office related to SUS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
do you have any MS link on the same, That's what i see in our case but just to make sure...
ASKER
May be I am not reading it properly, but I cannot see any where MS celarly explained this scenario in the document. Any way I can see few other had the same experience so its an expected behaviour thanks for the answers.
You should rarely use enforce though