Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

Need Help Understanding GPO Inheritance

Well... in the Default Domain Policy I disable the Offline Files service on workstations. I then created an OU called Laptops, move the laptops out of Computers in to this Laptop OU then created a GPO and Linked it to this Laptop OU that set the Offline Files service to automatic start.

   I them did a GPResults on a Laptop in that OU and it said the Offline Files service was disabled because the winning GPO was the Default Domain Policy. I guess I need help. I though the GPO linked to this Laptop OU would have taken precedence but it didn't.

Can anyone straighten me out?
0
LockDown32
Asked:
LockDown32
  • 3
  • 3
1 Solution
 
Cliff GaliherCommented:
Did you gpupdate first? Gpresults only tells you the current state, which can change based on refresh cycles. Gpmodelling is more accurate in these instances.
0
 
LockDown32Author Commented:
I gpupdated the server first then gpupdated the workstation. I used the GPMC on the server (Gpmodelling) for the results.
0
 
Cliff GaliherCommented:
Your understanding is correct that OU takes precedence when all other things are equal. So you have something else going on. Enforced policies, disabled links, security or WMI filters can all change the default precedence behavior.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LockDown32Author Commented:
OK. Maybe it is a GPUpdate problem and I should give it a couple reboots to take effect. The whole domain is pretty much at the defaults and not a whole lot is being done GPO wise. You say "Enforced Policies". Might that be where I am going wrong? As soon as I link the GPO I enforce it. I have always assumed that is what should be done. When would you want to link one yet not enforce it? Doesn't that defeat the purpose?
0
 
Cliff GaliherCommented:
Enforced does not mean what you think it means. In large networks where AD delegation is often employed, an "enforced" policy can be used to make sure a department admin cannot create a group policy that breaks company requirements, even though the admin has a policy in an OU, the "enforced" policy would win because of its enforced status. Setting a policy to enforced should ONLY be done in special circumstances as it breaks default precedence.
0
 
LockDown32Author Commented:
OK. All of the GPOs I linked are also enforced. I will go back and un-enforce them. Thanks for the heads-up.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now