Solved

GPO Settings

Posted on 2012-03-15
10
214 Views
Last Modified: 2012-04-03
I know this is basic Group Policy 101, but for some reason I can't figure it out after all the searching I've done.

We have several servers, then we have a lot of computers.

I want automatic updates for our computers, but I don't want auto updates on the servers. My problem is this. It seems that no matter what I do, whatever I have set in the Default Domain policy applies to everything in the domain.

I have a separate OU for my servers, and a separate OU for my computers.

I've blocked inheritance on the servers and have a GPO created in those containers to disable auto updates. But as soon as I allow auto updates on the default domain policy, it overrides the GPO I created for the servers.

What am I doing wrong here?

Domain is  a server 2003 domain, with 2 x Server 2003 domain controllers.

Computers are a mix of XP and windows 7.

Can anyone tell me what I'm messing up? I thought that by blocking inheritance on my server OU, I would keep the default domain policy from getting applied.
0
Comment
Question by:themightydude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 7

Accepted Solution

by:
Martin81 earned 500 total points
ID: 37726516
If you have the default domain policy enforced it won't take any notice of the block. If you run the group policy results wizard  against one of the servers from the bottom of the group policy managment console that should give you a better idea of what's going on.
0
 
LVL 8

Expert Comment

by:thomasdavis
ID: 37726526
also if the server OU is linked to the GPO that has auto updates turned on this cause that.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37726527
My suggestion would be to take the update configuration out of your default domain policy and then create two seperate GPO object for updates. Call one of them something like "Updates - Workstations" and the other "Updates - Servers"

This way you can link the individual GPOs to specific OUs that contain either servers or worstations. This eliminates the chance for accidental updates on servers.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 4

Author Comment

by:themightydude
ID: 37726584
Ok.

The default domain policy was enforced.

I disabled that and now I have windows updates enabled on all the computers, but not on the servers. So looks like that solved it.

Now one last thing. I have a windows server 2008 R2 server which is our exchange 2010 server. It seems that this server is still getting it's GP from the default domain policy. GPRW shows it inheriting all the GPO's, but not denying any.

Any ideas on that? Maybe a version conflict between 2003 DC's and a 2008 R2 server?
0
 
LVL 7

Expert Comment

by:Martin81
ID: 37726724
Try a gpupdate /force on that server and check again.
0
 
LVL 4

Author Comment

by:themightydude
ID: 37726729
Did that a few times.
0
 
LVL 7

Expert Comment

by:Martin81
ID: 37726816
Is that server in a different AD site to the others? I'm thinking it could be picking up policies from a different domain controller that your changes haven't replicated to yet.

If you run echo %logonserver% on that server it should show you the DC it's using, compare that with the other servers to see if it's using the domain controller.

You could also try running gpresult /h gpreport.html on the 2008 server, that gives more or less the same results as the group policy results wizard but may be more up to date.
0
 
LVL 4

Author Comment

by:themightydude
ID: 37726835
No that server is in the same AD site as the rest of them.

I'll try those command when I get a chance..having a couple issues with that server right now actually that we are working on.
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 37730182
Remember, GPOs are CUMULATIVE...  In otherwords, the default domain policy WILL affect everything in the domain (unless inheretance is blocked) but other GPOs lower in the structure can add additional settings, or override settings in higher up GPOs.  (Overriding wont happen if "Enforce" is selected on a GPO above.

Personally, I like to keep GPOs small, and focused on ONE purpose, that way they can be linked ONLY where they belong, without then having to block enheratance somewhere or enforce somewhere else to fix something that was really a GPO design problem.  Some people prefer to bunch all the settings into one GPO, and have a separate GPO for each sub-tree that needs it..  That's fine too, and processes faster, but I think it's harder to manage.

That being said, some settings are only valid/applicable on some Operating system versions, so the 2003 vs 2008 R2 might have something to do with that, but I'd think whats really happening is that you've made a computer change that only takes affec upon reboot, and haven't rebooted yet...  The machine settings apply on a timed schedule (or on gpupdate) but SOME only take affect upon reboot...
0
 
LVL 4

Author Comment

by:themightydude
ID: 37803126
Sorry for the late reply here.

Martin81 was correct that the default domain policy was enforced and thus forcing propogation.

Disabled that and everything is fine now.

Thanks
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question