[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 551
  • Last Modified:

"Defaul Domain Controller Policy" applied to objects on a OU that is NOT within the Domain Controllers OU.

Hello everyone.  I have a curious question, but first my environment:

Windows 2003 DC
Mixed XP x86 and 7 x64 workstations.

I have a OU in the root of my domain called "Windows 7 PC Test".  I have a Win7 64x computer account and a test user account inside this OU.

We obviously have the Domain Controllers OU and within it the "Default Domain Controller Policy".

On the very top of everything is the "Default Domain Policy".

MYDOMAIN
  default domain policy
     OU: Domain Controller
       default domain controller policy
     OU: Windows 7 PC Test
       (NO GPO'S)
         Win7x64 pc account
         test user account

I log into the computer located inside the Windows 7 PC Test OU with Block Inheritance enabled and gpresult /r shows that the user settings applied the Default Domain Policy.

If I allow inheritance then it shows that the Default Domain Policy AND "Defaul Domain Controller Policy where applied to the user settings.

Neither of the gpresult /r show any applied Computer Settings, I am assuming cause I do not have any GPO's within the Windows 7 PC Test OU.

I am trying to test why the Win7 computers take up to 3 minutes to shutdown, when I block inheritance it takes only 15-18 seconds....no more no less.  and I am trying to rule out our other GPO's which we have on other OU's.   But the ones that always come up are the default domain and default controller.

So at this point why are those two policies being reported under the user IF there are zero GPO's on the Windows 7 PC Test OU.  I think it's the domain controller policy causing the slow shutdown.

I am attaching a file that shows the gpresults with both inheritance and no inheritance enabled.

Thanks!
gpresults.txt
0
itbamiami
Asked:
itbamiami
  • 3
1 Solution
 
awaggonerCommented:
Is the default domain controller policy applied to any OU's other than the Domain Controller and Win7 test OU's?

Could you create a new test OU and see it the default domain controller policy is applied to that one as well?
0
 
ssujaiCommented:
Can you check the group policy using gpmc and see the paths linked to it?is it possible to post a screenshot of it?
0
 
itbamiamiAuthor Commented:
@awaggoner, the Default Domain Conroller Policy is only applied to the Domain Controllers OU.
When I go to Group Policy Objects > Default Domain Controller Policy, under Scope on the right side of the GPMC I see Domain Controllers - Enforced: Yes - Link Enabled: Yes - Patch: MYDOMAIN.NET/Domain Controllers.  Domain Controllers is obviously the OU where my DC's reside.
The Windows 7 PC Test OU was created just a couple of days before I posted this question, it's as new as it can get.

@ssujai, as you can see from my reply to awaggoner, the path is to to the Domain Controllers OU.  I am attaching a screenshot.

Thanks for the help.
defauldomaincontrollerpolicy.png
0
 
itbamiamiAuthor Commented:
I figured it out.  I had "enforced" on both policies, heck all my policies are enforced for that matter.  Time to go through those enforced ones and see how I can clean up my gpo's.

Thank you for the assistance.

from the following site: http://www.computerperformance.co.uk/w2k3/gp/group_policy_inheritance.htm

Block Inheritance

There is one setting that you should know more about and that is Block Inheritance.  This is what I call the anarchists setting.  If you allow delegation at the OU, level then it is possible to stop any policies coming down from the domain.  However any policies that have been 'Enforced', cannot be blocked.
0
 
itbamiamiAuthor Commented:
@mods, how can I close this question?  Do I accept my own solution and award myself points?

Thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now