Solved

"Defaul Domain Controller Policy" applied to objects on a OU that is NOT within the Domain Controllers OU.

Posted on 2012-03-30
7
542 Views
Last Modified: 2012-05-03
Hello everyone.  I have a curious question, but first my environment:

Windows 2003 DC
Mixed XP x86 and 7 x64 workstations.

I have a OU in the root of my domain called "Windows 7 PC Test".  I have a Win7 64x computer account and a test user account inside this OU.

We obviously have the Domain Controllers OU and within it the "Default Domain Controller Policy".

On the very top of everything is the "Default Domain Policy".

MYDOMAIN
  default domain policy
     OU: Domain Controller
       default domain controller policy
     OU: Windows 7 PC Test
       (NO GPO'S)
         Win7x64 pc account
         test user account

I log into the computer located inside the Windows 7 PC Test OU with Block Inheritance enabled and gpresult /r shows that the user settings applied the Default Domain Policy.

If I allow inheritance then it shows that the Default Domain Policy AND "Defaul Domain Controller Policy where applied to the user settings.

Neither of the gpresult /r show any applied Computer Settings, I am assuming cause I do not have any GPO's within the Windows 7 PC Test OU.

I am trying to test why the Win7 computers take up to 3 minutes to shutdown, when I block inheritance it takes only 15-18 seconds....no more no less.  and I am trying to rule out our other GPO's which we have on other OU's.   But the ones that always come up are the default domain and default controller.

So at this point why are those two policies being reported under the user IF there are zero GPO's on the Windows 7 PC Test OU.  I think it's the domain controller policy causing the slow shutdown.

I am attaching a file that shows the gpresults with both inheritance and no inheritance enabled.

Thanks!
gpresults.txt
0
Comment
Question by:itbamiami
  • 3
7 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37789394
Is the default domain controller policy applied to any OU's other than the Domain Controller and Win7 test OU's?

Could you create a new test OU and see it the default domain controller policy is applied to that one as well?
0
 
LVL 5

Expert Comment

by:ssujai
ID: 37794887
Can you check the group policy using gpmc and see the paths linked to it?is it possible to post a screenshot of it?
0
 

Author Comment

by:itbamiami
ID: 37797400
@awaggoner, the Default Domain Conroller Policy is only applied to the Domain Controllers OU.
When I go to Group Policy Objects > Default Domain Controller Policy, under Scope on the right side of the GPMC I see Domain Controllers - Enforced: Yes - Link Enabled: Yes - Patch: MYDOMAIN.NET/Domain Controllers.  Domain Controllers is obviously the OU where my DC's reside.
The Windows 7 PC Test OU was created just a couple of days before I posted this question, it's as new as it can get.

@ssujai, as you can see from my reply to awaggoner, the path is to to the Domain Controllers OU.  I am attaching a screenshot.

Thanks for the help.
defauldomaincontrollerpolicy.png
0
 

Accepted Solution

by:
itbamiami earned 0 total points
ID: 37799298
I figured it out.  I had "enforced" on both policies, heck all my policies are enforced for that matter.  Time to go through those enforced ones and see how I can clean up my gpo's.

Thank you for the assistance.

from the following site: http://www.computerperformance.co.uk/w2k3/gp/group_policy_inheritance.htm

Block Inheritance

There is one setting that you should know more about and that is Block Inheritance.  This is what I call the anarchists setting.  If you allow delegation at the OU, level then it is possible to stop any policies coming down from the domain.  However any policies that have been 'Enforced', cannot be blocked.
0
 

Author Comment

by:itbamiami
ID: 37799300
@mods, how can I close this question?  Do I accept my own solution and award myself points?

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now