?
Solved

Active directory GPO inheritance

Posted on 2016-10-12
8
Medium Priority
?
96 Views
Last Modified: 2016-10-17
Dear All,

I have a GPO on domain level for setting default home page ,which is applied to all OU's,i want to change the default home page for some OU's, even after i apply a new GPO on the child OU the default domian level GPO i getting applied,how do i stop this and apply only the GPO which is applied on child OU.

Regards
0
Comment
Question by:Sysguys
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 1000 total points
ID: 41840370
Did you change the Link Order in the OU? Otherwise the GPO on domain level will win.
0
 

Author Comment

by:Sysguys
ID: 41840374
link order means ? i didn't get you.
0
 
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 41840377
You will need to check the precedence of the GPOs under the inheritance tab in GPMC if they are at the same level.

Normally GPOs apply in this order: site, domain, OU and child OU. As a result, your GPO applied at the child OU level should overwrite the settings. From what you are saying, however, it sounds like this isn't happening.

Have you tried to enforce the GPO at the child OU?

If you don't want any of the settings from the default domain GPO, you could block inheritance from GPMC.

This might give you a better idea: https://technet.microsoft.com/en-gb/library/hh147307(v=ws.10).aspx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:Sysguys
ID: 41840381
There are lot of other GPO's that are needed which are also applied on domian level ,if i block inheritance i will not get the other policies.
0
 
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 41840385
There are two ways you can go about this.

1. Block inheritance and link all the GPOs that are required directly to the child OU. Take care of the precedence order.

2. Enforce the GPO containing your default homepage settings.

Try both methods on a test OU with a test user and see which one works better for you.
0
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 1000 total points
ID: 41840419
@Muhammad Mulla
Blocking and Enforcing is not best practice.

@Sysguys
have a look under Group Policy Inheritance:
https://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx
0
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 41840509
Unless the GPO that is linked to the domain is configured as "Enforced", GPOs linked directly to OUs will take precedence by default. Setting a GPO to be "Enforced" causes it to take precedence on the OUs it is linked to and all child OUs. Using the Enforced setting is not a best practice because it complicates troubleshooting efforts. Right click the GPO that is linked to the Domain and make sure the Enforced option doesn't have a Checkmark next to it. If it does, click on it to remove the checkmark so it isn't enforced anymore. Once you do that, your GPOs linked to the child OUs you want should then take precedence. Enforced GPOs will *always* win when the settings in other GPOs are different. You can't keep this from happening by changing link order in GPMC, so make sure that Domain level GPO setting the home page isn't enforced.
1
 

Author Closing Comment

by:Sysguys
ID: 41846844
thanks for helping i blocked inheritance and applied all the required GPO's except the home page and create a new GPO for the home page
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question