Solved

Active directory GPO inheritance

Posted on 2016-10-12
8
58 Views
Last Modified: 2016-10-17
Dear All,

I have a GPO on domain level for setting default home page ,which is applied to all OU's,i want to change the default home page for some OU's, even after i apply a new GPO on the child OU the default domian level GPO i getting applied,how do i stop this and apply only the GPO which is applied on child OU.

Regards
0
Comment
Question by:Sysguys
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 250 total points
ID: 41840370
Did you change the Link Order in the OU? Otherwise the GPO on domain level will win.
0
 

Author Comment

by:Sysguys
ID: 41840374
link order means ? i didn't get you.
0
 
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 41840377
You will need to check the precedence of the GPOs under the inheritance tab in GPMC if they are at the same level.

Normally GPOs apply in this order: site, domain, OU and child OU. As a result, your GPO applied at the child OU level should overwrite the settings. From what you are saying, however, it sounds like this isn't happening.

Have you tried to enforce the GPO at the child OU?

If you don't want any of the settings from the default domain GPO, you could block inheritance from GPMC.

This might give you a better idea: https://technet.microsoft.com/en-gb/library/hh147307(v=ws.10).aspx
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Sysguys
ID: 41840381
There are lot of other GPO's that are needed which are also applied on domian level ,if i block inheritance i will not get the other policies.
0
 
LVL 10

Expert Comment

by:Muhammad Mulla
ID: 41840385
There are two ways you can go about this.

1. Block inheritance and link all the GPOs that are required directly to the child OU. Take care of the precedence order.

2. Enforce the GPO containing your default homepage settings.

Try both methods on a test OU with a test user and see which one works better for you.
0
 
LVL 19

Assisted Solution

by:*** Hopeleonie ***
*** Hopeleonie *** earned 250 total points
ID: 41840419
@Muhammad Mulla
Blocking and Enforcing is not best practice.

@Sysguys
have a look under Group Policy Inheritance:
https://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx
0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 41840509
Unless the GPO that is linked to the domain is configured as "Enforced", GPOs linked directly to OUs will take precedence by default. Setting a GPO to be "Enforced" causes it to take precedence on the OUs it is linked to and all child OUs. Using the Enforced setting is not a best practice because it complicates troubleshooting efforts. Right click the GPO that is linked to the Domain and make sure the Enforced option doesn't have a Checkmark next to it. If it does, click on it to remove the checkmark so it isn't enforced anymore. Once you do that, your GPOs linked to the child OUs you want should then take precedence. Enforced GPOs will *always* win when the settings in other GPOs are different. You can't keep this from happening by changing link order in GPMC, so make sure that Domain level GPO setting the home page isn't enforced.
1
 

Author Closing Comment

by:Sysguys
ID: 41846844
thanks for helping i blocked inheritance and applied all the required GPO's except the home page and create a new GPO for the home page
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question