Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

"Defaul Domain Controller Policy" applied to objects on a OU that is NOT within the Domain Controllers OU.

Posted on 2012-03-30
7
Medium Priority
?
550 Views
Last Modified: 2012-05-03
Hello everyone.  I have a curious question, but first my environment:

Windows 2003 DC
Mixed XP x86 and 7 x64 workstations.

I have a OU in the root of my domain called "Windows 7 PC Test".  I have a Win7 64x computer account and a test user account inside this OU.

We obviously have the Domain Controllers OU and within it the "Default Domain Controller Policy".

On the very top of everything is the "Default Domain Policy".

MYDOMAIN
  default domain policy
     OU: Domain Controller
       default domain controller policy
     OU: Windows 7 PC Test
       (NO GPO'S)
         Win7x64 pc account
         test user account

I log into the computer located inside the Windows 7 PC Test OU with Block Inheritance enabled and gpresult /r shows that the user settings applied the Default Domain Policy.

If I allow inheritance then it shows that the Default Domain Policy AND "Defaul Domain Controller Policy where applied to the user settings.

Neither of the gpresult /r show any applied Computer Settings, I am assuming cause I do not have any GPO's within the Windows 7 PC Test OU.

I am trying to test why the Win7 computers take up to 3 minutes to shutdown, when I block inheritance it takes only 15-18 seconds....no more no less.  and I am trying to rule out our other GPO's which we have on other OU's.   But the ones that always come up are the default domain and default controller.

So at this point why are those two policies being reported under the user IF there are zero GPO's on the Windows 7 PC Test OU.  I think it's the domain controller policy causing the slow shutdown.

I am attaching a file that shows the gpresults with both inheritance and no inheritance enabled.

Thanks!
gpresults.txt
0
Comment
Question by:itbamiami
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37789394
Is the default domain controller policy applied to any OU's other than the Domain Controller and Win7 test OU's?

Could you create a new test OU and see it the default domain controller policy is applied to that one as well?
0
 
LVL 5

Expert Comment

by:ssujai
ID: 37794887
Can you check the group policy using gpmc and see the paths linked to it?is it possible to post a screenshot of it?
0
 

Author Comment

by:itbamiami
ID: 37797400
@awaggoner, the Default Domain Conroller Policy is only applied to the Domain Controllers OU.
When I go to Group Policy Objects > Default Domain Controller Policy, under Scope on the right side of the GPMC I see Domain Controllers - Enforced: Yes - Link Enabled: Yes - Patch: MYDOMAIN.NET/Domain Controllers.  Domain Controllers is obviously the OU where my DC's reside.
The Windows 7 PC Test OU was created just a couple of days before I posted this question, it's as new as it can get.

@ssujai, as you can see from my reply to awaggoner, the path is to to the Domain Controllers OU.  I am attaching a screenshot.

Thanks for the help.
defauldomaincontrollerpolicy.png
0
 

Accepted Solution

by:
itbamiami earned 0 total points
ID: 37799298
I figured it out.  I had "enforced" on both policies, heck all my policies are enforced for that matter.  Time to go through those enforced ones and see how I can clean up my gpo's.

Thank you for the assistance.

from the following site: http://www.computerperformance.co.uk/w2k3/gp/group_policy_inheritance.htm

Block Inheritance

There is one setting that you should know more about and that is Block Inheritance.  This is what I call the anarchists setting.  If you allow delegation at the OU, level then it is possible to stop any policies coming down from the domain.  However any policies that have been 'Enforced', cannot be blocked.
0
 

Author Comment

by:itbamiami
ID: 37799300
@mods, how can I close this question?  Do I accept my own solution and award myself points?

Thanks
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question