Solved

GPO Settings

Posted on 2012-03-15
10
212 Views
Last Modified: 2012-04-03
I know this is basic Group Policy 101, but for some reason I can't figure it out after all the searching I've done.

We have several servers, then we have a lot of computers.

I want automatic updates for our computers, but I don't want auto updates on the servers. My problem is this. It seems that no matter what I do, whatever I have set in the Default Domain policy applies to everything in the domain.

I have a separate OU for my servers, and a separate OU for my computers.

I've blocked inheritance on the servers and have a GPO created in those containers to disable auto updates. But as soon as I allow auto updates on the default domain policy, it overrides the GPO I created for the servers.

What am I doing wrong here?

Domain is  a server 2003 domain, with 2 x Server 2003 domain controllers.

Computers are a mix of XP and windows 7.

Can anyone tell me what I'm messing up? I thought that by blocking inheritance on my server OU, I would keep the default domain policy from getting applied.
0
Comment
Question by:themightydude
10 Comments
 
LVL 7

Accepted Solution

by:
Martin81 earned 500 total points
ID: 37726516
If you have the default domain policy enforced it won't take any notice of the block. If you run the group policy results wizard  against one of the servers from the bottom of the group policy managment console that should give you a better idea of what's going on.
0
 
LVL 8

Expert Comment

by:thomasdavis
ID: 37726526
also if the server OU is linked to the GPO that has auto updates turned on this cause that.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37726527
My suggestion would be to take the update configuration out of your default domain policy and then create two seperate GPO object for updates. Call one of them something like "Updates - Workstations" and the other "Updates - Servers"

This way you can link the individual GPOs to specific OUs that contain either servers or worstations. This eliminates the chance for accidental updates on servers.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Author Comment

by:themightydude
ID: 37726584
Ok.

The default domain policy was enforced.

I disabled that and now I have windows updates enabled on all the computers, but not on the servers. So looks like that solved it.

Now one last thing. I have a windows server 2008 R2 server which is our exchange 2010 server. It seems that this server is still getting it's GP from the default domain policy. GPRW shows it inheriting all the GPO's, but not denying any.

Any ideas on that? Maybe a version conflict between 2003 DC's and a 2008 R2 server?
0
 
LVL 7

Expert Comment

by:Martin81
ID: 37726724
Try a gpupdate /force on that server and check again.
0
 
LVL 4

Author Comment

by:themightydude
ID: 37726729
Did that a few times.
0
 
LVL 7

Expert Comment

by:Martin81
ID: 37726816
Is that server in a different AD site to the others? I'm thinking it could be picking up policies from a different domain controller that your changes haven't replicated to yet.

If you run echo %logonserver% on that server it should show you the DC it's using, compare that with the other servers to see if it's using the domain controller.

You could also try running gpresult /h gpreport.html on the 2008 server, that gives more or less the same results as the group policy results wizard but may be more up to date.
0
 
LVL 4

Author Comment

by:themightydude
ID: 37726835
No that server is in the same AD site as the rest of them.

I'll try those command when I get a chance..having a couple issues with that server right now actually that we are working on.
0
 
LVL 10

Expert Comment

by:172pilotSteve
ID: 37730182
Remember, GPOs are CUMULATIVE...  In otherwords, the default domain policy WILL affect everything in the domain (unless inheretance is blocked) but other GPOs lower in the structure can add additional settings, or override settings in higher up GPOs.  (Overriding wont happen if "Enforce" is selected on a GPO above.

Personally, I like to keep GPOs small, and focused on ONE purpose, that way they can be linked ONLY where they belong, without then having to block enheratance somewhere or enforce somewhere else to fix something that was really a GPO design problem.  Some people prefer to bunch all the settings into one GPO, and have a separate GPO for each sub-tree that needs it..  That's fine too, and processes faster, but I think it's harder to manage.

That being said, some settings are only valid/applicable on some Operating system versions, so the 2003 vs 2008 R2 might have something to do with that, but I'd think whats really happening is that you've made a computer change that only takes affec upon reboot, and haven't rebooted yet...  The machine settings apply on a timed schedule (or on gpupdate) but SOME only take affect upon reboot...
0
 
LVL 4

Author Comment

by:themightydude
ID: 37803126
Sorry for the late reply here.

Martin81 was correct that the default domain policy was enforced and thus forcing propogation.

Disabled that and everything is fine now.

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question