Solved

GPO Settings

Posted on 2012-03-15
10
203 Views
Last Modified: 2012-04-03
I know this is basic Group Policy 101, but for some reason I can't figure it out after all the searching I've done.

We have several servers, then we have a lot of computers.

I want automatic updates for our computers, but I don't want auto updates on the servers. My problem is this. It seems that no matter what I do, whatever I have set in the Default Domain policy applies to everything in the domain.

I have a separate OU for my servers, and a separate OU for my computers.

I've blocked inheritance on the servers and have a GPO created in those containers to disable auto updates. But as soon as I allow auto updates on the default domain policy, it overrides the GPO I created for the servers.

What am I doing wrong here?

Domain is  a server 2003 domain, with 2 x Server 2003 domain controllers.

Computers are a mix of XP and windows 7.

Can anyone tell me what I'm messing up? I thought that by blocking inheritance on my server OU, I would keep the default domain policy from getting applied.
0
Comment
Question by:themightydude
10 Comments
 
LVL 7

Accepted Solution

by:
Martin81 earned 500 total points
Comment Utility
If you have the default domain policy enforced it won't take any notice of the block. If you run the group policy results wizard  against one of the servers from the bottom of the group policy managment console that should give you a better idea of what's going on.
0
 
LVL 8

Expert Comment

by:thomasdavis
Comment Utility
also if the server OU is linked to the GPO that has auto updates turned on this cause that.
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
My suggestion would be to take the update configuration out of your default domain policy and then create two seperate GPO object for updates. Call one of them something like "Updates - Workstations" and the other "Updates - Servers"

This way you can link the individual GPOs to specific OUs that contain either servers or worstations. This eliminates the chance for accidental updates on servers.
0
 
LVL 4

Author Comment

by:themightydude
Comment Utility
Ok.

The default domain policy was enforced.

I disabled that and now I have windows updates enabled on all the computers, but not on the servers. So looks like that solved it.

Now one last thing. I have a windows server 2008 R2 server which is our exchange 2010 server. It seems that this server is still getting it's GP from the default domain policy. GPRW shows it inheriting all the GPO's, but not denying any.

Any ideas on that? Maybe a version conflict between 2003 DC's and a 2008 R2 server?
0
 
LVL 7

Expert Comment

by:Martin81
Comment Utility
Try a gpupdate /force on that server and check again.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 4

Author Comment

by:themightydude
Comment Utility
Did that a few times.
0
 
LVL 7

Expert Comment

by:Martin81
Comment Utility
Is that server in a different AD site to the others? I'm thinking it could be picking up policies from a different domain controller that your changes haven't replicated to yet.

If you run echo %logonserver% on that server it should show you the DC it's using, compare that with the other servers to see if it's using the domain controller.

You could also try running gpresult /h gpreport.html on the 2008 server, that gives more or less the same results as the group policy results wizard but may be more up to date.
0
 
LVL 4

Author Comment

by:themightydude
Comment Utility
No that server is in the same AD site as the rest of them.

I'll try those command when I get a chance..having a couple issues with that server right now actually that we are working on.
0
 
LVL 10

Expert Comment

by:172pilotSteve
Comment Utility
Remember, GPOs are CUMULATIVE...  In otherwords, the default domain policy WILL affect everything in the domain (unless inheretance is blocked) but other GPOs lower in the structure can add additional settings, or override settings in higher up GPOs.  (Overriding wont happen if "Enforce" is selected on a GPO above.

Personally, I like to keep GPOs small, and focused on ONE purpose, that way they can be linked ONLY where they belong, without then having to block enheratance somewhere or enforce somewhere else to fix something that was really a GPO design problem.  Some people prefer to bunch all the settings into one GPO, and have a separate GPO for each sub-tree that needs it..  That's fine too, and processes faster, but I think it's harder to manage.

That being said, some settings are only valid/applicable on some Operating system versions, so the 2003 vs 2008 R2 might have something to do with that, but I'd think whats really happening is that you've made a computer change that only takes affec upon reboot, and haven't rebooted yet...  The machine settings apply on a timed schedule (or on gpupdate) but SOME only take affect upon reboot...
0
 
LVL 4

Author Comment

by:themightydude
Comment Utility
Sorry for the late reply here.

Martin81 was correct that the default domain policy was enforced and thus forcing propogation.

Disabled that and everything is fine now.

Thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now