GPO for Sub-OU
Customer AD has multiple OUs created. Some of them are created as sub OU. the OU structure can goes down to 4 layer of sub-OU.
there also multiple GPO created as well. Some applied at Root OU and some linked to sub-OU.
i discover that User Configuration GPO linked to 4th layer sub-OU doesn't able to pickup the configuration. i tried restart netlogon service then ran gpupdate /force also doesn't help.
if i move the 4th layer sub-ou to second layer, it will apply.
Just curious, am i missing anything?
there also multiple GPO created as well. Some applied at Root OU and some linked to sub-OU.
i discover that User Configuration GPO linked to 4th layer sub-OU doesn't able to pickup the configuration. i tried restart netlogon service then ran gpupdate /force also doesn't help.
if i move the 4th layer sub-ou to second layer, it will apply.
Just curious, am i missing anything?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Open GPMC--> Group Policy Objects--> Select the required GPO--> In the Right Hand side, Select "Scope"--> Under security filtering.... Add the required Group there.
I believe you must have already added the group there (after removing the "Authenticated Users"). If so, it will cause problem. You need "Authenticated Users" READ permission on every GPO.
To Add that, Open GPMC--> Group Policy Objects--> Select the required GPO--> In the Right Hand side, Select "Delegation"--> Add "Authenticated Users" and provide "Read" permission.
Thanks,
Abhi
Security-Filtering.JPG
Delegation.JPG
Open GPMC--> Group Policy Objects--> Select the required GPO--> In the Right Hand side, Select "Scope"--> Under security filtering.... Add the required Group there.
I believe you must have already added the group there (after removing the "Authenticated Users"). If so, it will cause problem. You need "Authenticated Users" READ permission on every GPO.
To Add that, Open GPMC--> Group Policy Objects--> Select the required GPO--> In the Right Hand side, Select "Delegation"--> Add "Authenticated Users" and provide "Read" permission.
Thanks,
Abhi
Security-Filtering.JPG
Delegation.JPG
Make sure that GPO is linked to the correct OU and an OU contains all objects + that GPO is not enforced, no Block inheritance is set or no security filtering or WMI filtering is applied. Check this out and come back wit feedback.
ASKER
I tested the GPO will only reflect if I place the user and computer into same OU.
the GPO that I wanted is user configuration based policy.
is that normal?
the GPO that I wanted is user configuration based policy.
is that normal?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
n/a
ASKER
where can I check the security filtering.
I ran rsop.msc, they gpo doesn't appear there. even though I disable the existing gpo, it still shown when I ran rsop.msc
I will try gpresult /R tmr.