Solved

"Defaul Domain Controller Policy" applied to objects on a OU that is NOT within the Domain Controllers OU.

Posted on 2012-03-30
7
541 Views
Last Modified: 2012-05-03
Hello everyone.  I have a curious question, but first my environment:

Windows 2003 DC
Mixed XP x86 and 7 x64 workstations.

I have a OU in the root of my domain called "Windows 7 PC Test".  I have a Win7 64x computer account and a test user account inside this OU.

We obviously have the Domain Controllers OU and within it the "Default Domain Controller Policy".

On the very top of everything is the "Default Domain Policy".

MYDOMAIN
  default domain policy
     OU: Domain Controller
       default domain controller policy
     OU: Windows 7 PC Test
       (NO GPO'S)
         Win7x64 pc account
         test user account

I log into the computer located inside the Windows 7 PC Test OU with Block Inheritance enabled and gpresult /r shows that the user settings applied the Default Domain Policy.

If I allow inheritance then it shows that the Default Domain Policy AND "Defaul Domain Controller Policy where applied to the user settings.

Neither of the gpresult /r show any applied Computer Settings, I am assuming cause I do not have any GPO's within the Windows 7 PC Test OU.

I am trying to test why the Win7 computers take up to 3 minutes to shutdown, when I block inheritance it takes only 15-18 seconds....no more no less.  and I am trying to rule out our other GPO's which we have on other OU's.   But the ones that always come up are the default domain and default controller.

So at this point why are those two policies being reported under the user IF there are zero GPO's on the Windows 7 PC Test OU.  I think it's the domain controller policy causing the slow shutdown.

I am attaching a file that shows the gpresults with both inheritance and no inheritance enabled.

Thanks!
gpresults.txt
0
Comment
Question by:itbamiami
  • 3
7 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37789394
Is the default domain controller policy applied to any OU's other than the Domain Controller and Win7 test OU's?

Could you create a new test OU and see it the default domain controller policy is applied to that one as well?
0
 
LVL 5

Expert Comment

by:ssujai
ID: 37794887
Can you check the group policy using gpmc and see the paths linked to it?is it possible to post a screenshot of it?
0
 

Author Comment

by:itbamiami
ID: 37797400
@awaggoner, the Default Domain Conroller Policy is only applied to the Domain Controllers OU.
When I go to Group Policy Objects > Default Domain Controller Policy, under Scope on the right side of the GPMC I see Domain Controllers - Enforced: Yes - Link Enabled: Yes - Patch: MYDOMAIN.NET/Domain Controllers.  Domain Controllers is obviously the OU where my DC's reside.
The Windows 7 PC Test OU was created just a couple of days before I posted this question, it's as new as it can get.

@ssujai, as you can see from my reply to awaggoner, the path is to to the Domain Controllers OU.  I am attaching a screenshot.

Thanks for the help.
defauldomaincontrollerpolicy.png
0
 

Accepted Solution

by:
itbamiami earned 0 total points
ID: 37799298
I figured it out.  I had "enforced" on both policies, heck all my policies are enforced for that matter.  Time to go through those enforced ones and see how I can clean up my gpo's.

Thank you for the assistance.

from the following site: http://www.computerperformance.co.uk/w2k3/gp/group_policy_inheritance.htm

Block Inheritance

There is one setting that you should know more about and that is Block Inheritance.  This is what I call the anarchists setting.  If you allow delegation at the OU, level then it is possible to stop any policies coming down from the domain.  However any policies that have been 'Enforced', cannot be blocked.
0
 

Author Comment

by:itbamiami
ID: 37799300
@mods, how can I close this question?  Do I accept my own solution and award myself points?

Thanks
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now