Group Policy being applied to computers outside of OU where GPO Policy resides
Group Policy being applied to computers outside of OU where GPO Policy resides. My understanding is that a GPO Policy is applied to the OU and then any objects in that OU get the policy provided security filtering doesn't exclude objects.
All the policies have security filtering added to them and it appears that by just being added to the security filter it's applying it to that user/computer object if the object resides in the group even though the object is not in the OU.
My question is if a computer or user object is not in the OU, but the security filter is applied to the group an object is in, will the GPO get applied to that object?
We are operating at domain functional level 2012.
Thanks,
All the policies have security filtering added to them and it appears that by just being added to the security filter it's applying it to that user/computer object if the object resides in the group even though the object is not in the OU.
My question is if a computer or user object is not in the OU, but the security filter is applied to the group an object is in, will the GPO get applied to that object?
We are operating at domain functional level 2012.
Thanks,
James Rankin
When you say "being added to the security filter" what do you mean? OU linked GPOs only apply to the computers or users in that OU and sub-OUs, that is correct
ASKER
So the security filter has Domain Computers in it in a different OU than the computer objects. It's not being applied in gpresults /r, but what the object does is lock down changing my local clock, and I can't change the time on my local windows clock. None of the policies applied to my group policy do this, however this is a group policy outside the OU my computer resides in that does lock down the clock and I'm not sure how the clock is locked down.
If it's not showing in gpresult /r then it isn't applied. I wasn't aware of a GPO to lock down the clock, what policy is that? Also be aware some policies can "tattoo" themselves into the Registry (although this should be noted in the description), meaning that if it applies once and is removed then it can continue to apply
ASKER
Ok, well that won't tattoo. when you say it is applying outside of the scope, does removing the object from the group allow the time to be changed?
ASKER
I saw somewhere that default behavior for Windows 10 if joined to a domain does not allow the time to be changed. This could explain why I'm seeing this related to time and GPO has nothing to do with it. I tried finding an official source online but can't find anything. Do you know if this is true? That would explain the time settings being locked down.
The time should only be able to be changed by administrators, in the default configuration
You could possibly change this via GPO by adding a user group to the policy setting for "change the system time". Also, this is a Computer setting (even though you would add a user or group to the actual GPO setting), so the security filter would only apply to computer objects named there, not user objects, IIRC
you are talking about a computer joined to a domain but you are showing LOCAL POLICIES, not domain.
"Local policies" appear in domain OU-linked GPOs exactly as in the screenshot
I stand corrected James, I Was thinking about local group policy editor
ASKER
I ran a test in my lab and if the Windows 10 computer is part of a domain you cannot change the time via GUI even if logged in with an Admin account. However, taking it out of the domain you can then change the time. There is a GPO that allows you to add groups for changing the time. The end result is we don't want people to adjust times on the computer systems. I was concerned it was a GPO that was not doing normal behavior, but it appears to be default behavior in Windows 10 being domain joined.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.