themightydude
asked on
GPO Settings
I know this is basic Group Policy 101, but for some reason I can't figure it out after all the searching I've done.
We have several servers, then we have a lot of computers.
I want automatic updates for our computers, but I don't want auto updates on the servers. My problem is this. It seems that no matter what I do, whatever I have set in the Default Domain policy applies to everything in the domain.
I have a separate OU for my servers, and a separate OU for my computers.
I've blocked inheritance on the servers and have a GPO created in those containers to disable auto updates. But as soon as I allow auto updates on the default domain policy, it overrides the GPO I created for the servers.
What am I doing wrong here?
Domain is a server 2003 domain, with 2 x Server 2003 domain controllers.
Computers are a mix of XP and windows 7.
Can anyone tell me what I'm messing up? I thought that by blocking inheritance on my server OU, I would keep the default domain policy from getting applied.
We have several servers, then we have a lot of computers.
I want automatic updates for our computers, but I don't want auto updates on the servers. My problem is this. It seems that no matter what I do, whatever I have set in the Default Domain policy applies to everything in the domain.
I have a separate OU for my servers, and a separate OU for my computers.
I've blocked inheritance on the servers and have a GPO created in those containers to disable auto updates. But as soon as I allow auto updates on the default domain policy, it overrides the GPO I created for the servers.
What am I doing wrong here?
Domain is a server 2003 domain, with 2 x Server 2003 domain controllers.
Computers are a mix of XP and windows 7.
Can anyone tell me what I'm messing up? I thought that by blocking inheritance on my server OU, I would keep the default domain policy from getting applied.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thomasdavis
also if the server OU is linked to the GPO that has auto updates turned on this cause that.
My suggestion would be to take the update configuration out of your default domain policy and then create two seperate GPO object for updates. Call one of them something like "Updates - Workstations" and the other "Updates - Servers"
This way you can link the individual GPOs to specific OUs that contain either servers or worstations. This eliminates the chance for accidental updates on servers.
This way you can link the individual GPOs to specific OUs that contain either servers or worstations. This eliminates the chance for accidental updates on servers.
ASKER
Ok.
The default domain policy was enforced.
I disabled that and now I have windows updates enabled on all the computers, but not on the servers. So looks like that solved it.
Now one last thing. I have a windows server 2008 R2 server which is our exchange 2010 server. It seems that this server is still getting it's GP from the default domain policy. GPRW shows it inheriting all the GPO's, but not denying any.
Any ideas on that? Maybe a version conflict between 2003 DC's and a 2008 R2 server?
The default domain policy was enforced.
I disabled that and now I have windows updates enabled on all the computers, but not on the servers. So looks like that solved it.
Now one last thing. I have a windows server 2008 R2 server which is our exchange 2010 server. It seems that this server is still getting it's GP from the default domain policy. GPRW shows it inheriting all the GPO's, but not denying any.
Any ideas on that? Maybe a version conflict between 2003 DC's and a 2008 R2 server?
Try a gpupdate /force on that server and check again.
ASKER
Did that a few times.
Is that server in a different AD site to the others? I'm thinking it could be picking up policies from a different domain controller that your changes haven't replicated to yet.
If you run echo %logonserver% on that server it should show you the DC it's using, compare that with the other servers to see if it's using the domain controller.
You could also try running gpresult /h gpreport.html on the 2008 server, that gives more or less the same results as the group policy results wizard but may be more up to date.
If you run echo %logonserver% on that server it should show you the DC it's using, compare that with the other servers to see if it's using the domain controller.
You could also try running gpresult /h gpreport.html on the 2008 server, that gives more or less the same results as the group policy results wizard but may be more up to date.
ASKER
No that server is in the same AD site as the rest of them.
I'll try those command when I get a chance..having a couple issues with that server right now actually that we are working on.
I'll try those command when I get a chance..having a couple issues with that server right now actually that we are working on.
Remember, GPOs are CUMULATIVE... In otherwords, the default domain policy WILL affect everything in the domain (unless inheretance is blocked) but other GPOs lower in the structure can add additional settings, or override settings in higher up GPOs. (Overriding wont happen if "Enforce" is selected on a GPO above.
Personally, I like to keep GPOs small, and focused on ONE purpose, that way they can be linked ONLY where they belong, without then having to block enheratance somewhere or enforce somewhere else to fix something that was really a GPO design problem. Some people prefer to bunch all the settings into one GPO, and have a separate GPO for each sub-tree that needs it.. That's fine too, and processes faster, but I think it's harder to manage.
That being said, some settings are only valid/applicable on some Operating system versions, so the 2003 vs 2008 R2 might have something to do with that, but I'd think whats really happening is that you've made a computer change that only takes affec upon reboot, and haven't rebooted yet... The machine settings apply on a timed schedule (or on gpupdate) but SOME only take affect upon reboot...
Personally, I like to keep GPOs small, and focused on ONE purpose, that way they can be linked ONLY where they belong, without then having to block enheratance somewhere or enforce somewhere else to fix something that was really a GPO design problem. Some people prefer to bunch all the settings into one GPO, and have a separate GPO for each sub-tree that needs it.. That's fine too, and processes faster, but I think it's harder to manage.
That being said, some settings are only valid/applicable on some Operating system versions, so the 2003 vs 2008 R2 might have something to do with that, but I'd think whats really happening is that you've made a computer change that only takes affec upon reboot, and haven't rebooted yet... The machine settings apply on a timed schedule (or on gpupdate) but SOME only take affect upon reboot...
ASKER
Sorry for the late reply here.
Martin81 was correct that the default domain policy was enforced and thus forcing propogation.
Disabled that and everything is fine now.
Thanks
Martin81 was correct that the default domain policy was enforced and thus forcing propogation.
Disabled that and everything is fine now.
Thanks