Solved

Need Help Understanding GPO Inheritance

Posted on 2014-02-03
6
211 Views
Last Modified: 2014-02-11
Well... in the Default Domain Policy I disable the Offline Files service on workstations. I then created an OU called Laptops, move the laptops out of Computers in to this Laptop OU then created a GPO and Linked it to this Laptop OU that set the Offline Files service to automatic start.

   I them did a GPResults on a Laptop in that OU and it said the Offline Files service was disabled because the winning GPO was the Default Domain Policy. I guess I need help. I though the GPO linked to this Laptop OU would have taken precedence but it didn't.

Can anyone straighten me out?
0
Comment
Question by:LockDown32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39830906
Did you gpupdate first? Gpresults only tells you the current state, which can change based on refresh cycles. Gpmodelling is more accurate in these instances.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39830953
I gpupdated the server first then gpupdated the workstation. I used the GPMC on the server (Gpmodelling) for the results.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39830969
Your understanding is correct that OU takes precedence when all other things are equal. So you have something else going on. Enforced policies, disabled links, security or WMI filters can all change the default precedence behavior.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 15

Author Comment

by:LockDown32
ID: 39831061
OK. Maybe it is a GPUpdate problem and I should give it a couple reboots to take effect. The whole domain is pretty much at the defaults and not a whole lot is being done GPO wise. You say "Enforced Policies". Might that be where I am going wrong? As soon as I link the GPO I enforce it. I have always assumed that is what should be done. When would you want to link one yet not enforce it? Doesn't that defeat the purpose?
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39831097
Enforced does not mean what you think it means. In large networks where AD delegation is often employed, an "enforced" policy can be used to make sure a department admin cannot create a group policy that breaks company requirements, even though the admin has a policy in an OU, the "enforced" policy would win because of its enforced status. Setting a policy to enforced should ONLY be done in special circumstances as it breaks default precedence.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 39831120
OK. All of the GPOs I linked are also enforced. I will go back and un-enforce them. Thanks for the heads-up.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question