?
Solved

"Defaul Domain Controller Policy" applied to objects on a OU that is NOT within the Domain Controllers OU.

Posted on 2012-03-30
7
Medium Priority
?
548 Views
Last Modified: 2012-05-03
Hello everyone.  I have a curious question, but first my environment:

Windows 2003 DC
Mixed XP x86 and 7 x64 workstations.

I have a OU in the root of my domain called "Windows 7 PC Test".  I have a Win7 64x computer account and a test user account inside this OU.

We obviously have the Domain Controllers OU and within it the "Default Domain Controller Policy".

On the very top of everything is the "Default Domain Policy".

MYDOMAIN
  default domain policy
     OU: Domain Controller
       default domain controller policy
     OU: Windows 7 PC Test
       (NO GPO'S)
         Win7x64 pc account
         test user account

I log into the computer located inside the Windows 7 PC Test OU with Block Inheritance enabled and gpresult /r shows that the user settings applied the Default Domain Policy.

If I allow inheritance then it shows that the Default Domain Policy AND "Defaul Domain Controller Policy where applied to the user settings.

Neither of the gpresult /r show any applied Computer Settings, I am assuming cause I do not have any GPO's within the Windows 7 PC Test OU.

I am trying to test why the Win7 computers take up to 3 minutes to shutdown, when I block inheritance it takes only 15-18 seconds....no more no less.  and I am trying to rule out our other GPO's which we have on other OU's.   But the ones that always come up are the default domain and default controller.

So at this point why are those two policies being reported under the user IF there are zero GPO's on the Windows 7 PC Test OU.  I think it's the domain controller policy causing the slow shutdown.

I am attaching a file that shows the gpresults with both inheritance and no inheritance enabled.

Thanks!
gpresults.txt
0
Comment
Question by:itbamiami
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37789394
Is the default domain controller policy applied to any OU's other than the Domain Controller and Win7 test OU's?

Could you create a new test OU and see it the default domain controller policy is applied to that one as well?
0
 
LVL 5

Expert Comment

by:ssujai
ID: 37794887
Can you check the group policy using gpmc and see the paths linked to it?is it possible to post a screenshot of it?
0
 

Author Comment

by:itbamiami
ID: 37797400
@awaggoner, the Default Domain Conroller Policy is only applied to the Domain Controllers OU.
When I go to Group Policy Objects > Default Domain Controller Policy, under Scope on the right side of the GPMC I see Domain Controllers - Enforced: Yes - Link Enabled: Yes - Patch: MYDOMAIN.NET/Domain Controllers.  Domain Controllers is obviously the OU where my DC's reside.
The Windows 7 PC Test OU was created just a couple of days before I posted this question, it's as new as it can get.

@ssujai, as you can see from my reply to awaggoner, the path is to to the Domain Controllers OU.  I am attaching a screenshot.

Thanks for the help.
defauldomaincontrollerpolicy.png
0
 

Accepted Solution

by:
itbamiami earned 0 total points
ID: 37799298
I figured it out.  I had "enforced" on both policies, heck all my policies are enforced for that matter.  Time to go through those enforced ones and see how I can clean up my gpo's.

Thank you for the assistance.

from the following site: http://www.computerperformance.co.uk/w2k3/gp/group_policy_inheritance.htm

Block Inheritance

There is one setting that you should know more about and that is Block Inheritance.  This is what I call the anarchists setting.  If you allow delegation at the OU, level then it is possible to stop any policies coming down from the domain.  However any policies that have been 'Enforced', cannot be blocked.
0
 

Author Comment

by:itbamiami
ID: 37799300
@mods, how can I close this question?  Do I accept my own solution and award myself points?

Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
Suggested Courses
Course of the Month12 days, 13 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question