Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » What is a conflict with regards to OU rules?
What is a conflict with regards to OU rules? [message #159671] Mon, 03 August 2009 14:19 Go to next message
Bo  is currently offline Bo
Messages: 10
Registered: August 2009
Junior Member
As I understand it, the local security policy is read first, then the domain
policy and then the O.U GPO if there is one. If that is correct my question
is, if on the local policy I have a setting enabled and configured, but on
the domain or OU GPO it is set not configured or disabled, is this considered
to be a conflict? Will the local policy configuration be canceled out and
ultimately be applied as not configured or disabled?

I have the AD OU GPO set to link enabled, enforced, and user config
disabled. This is a machine account only.

Thanks in advance.
Re: What is a conflict with regards to OU rules? [message #159672 is a reply to message #159671] Mon, 03 August 2009 14:25 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Bo,

If you have set a local setting to enabled for example and create/link the
same setting in a GPO on OU level with disabled the OU setting will win.

Also see:
http://technet.microsoft.com/en-us/library/cc778890(WS.10).aspx

http://articles.techrepublic.com.com/5100-10878_11-1055139.h tml

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> As I understand it, the local security policy is read first, then the
> domain policy and then the O.U GPO if there is one. If that is
> correct my question is, if on the local policy I have a setting
> enabled and configured, but on the domain or OU GPO it is set not
> configured or disabled, is this considered to be a conflict? Will the
> local policy configuration be canceled out and ultimately be applied
> as not configured or disabled?
>
> I have the AD OU GPO set to link enabled, enforced, and user config
> disabled. This is a machine account only.
>
> Thanks in advance.
>
Re: What is a conflict with regards to OU rules? [message #159673 is a reply to message #159671] Mon, 03 August 2009 16:03 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Bo,
Your understanding is correct.
As far your qustion is concerned, It really depends on what you consider to
be "a conflict". Settings applied via GPOs linked to OUs where a computer
account reside will take precedence over those configured via local Group
Policy. If the latter includes settings which are not configured in a
domain-based GPO, than the local ones will persist...

hth
Marcin

"Bo" <Bo@discussions.microsoft.com> wrote in message
news:94D6D0F6-3DDD-4E16-8C82-D049BC299F0C@microsoft.com...
> As I understand it, the local security policy is read first, then the
> domain
> policy and then the O.U GPO if there is one. If that is correct my
> question
> is, if on the local policy I have a setting enabled and configured, but on
> the domain or OU GPO it is set not configured or disabled, is this
> considered
> to be a conflict? Will the local policy configuration be canceled out and
> ultimately be applied as not configured or disabled?
>
> I have the AD OU GPO set to link enabled, enforced, and user config
> disabled. This is a machine account only.
>
> Thanks in advance.
>
Re: What is a conflict with regards to OU rules? [message #159681 is a reply to message #159671] Mon, 03 August 2009 23:21 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Bo,

Bo schrieb:
> As I understand it, the local security policy is read first, then the domain
> policy and then the O.U GPO if there is one. If that is correct my question
> is, if on the local policy I have a setting enabled and configured, but on
> the domain or OU GPO it is set not configured or disabled, is this considered
> to be a conflict? Will the local policy configuration be canceled out and
> ultimately be applied as not configured or disabled?

Marcin is right. It really depends what you mean by writing "conflict".

The GP subsystem applies Group Policy in the following order:

Local Group Policy (machine local) - Site GPs - Domain Policies (linked
to the domain root) - OU policies - subOU policies - subsubOU policies - ...

Configuring settings in both the local Group Policy and some GP linked
to an OU have the effect that IF the specific settings are configured
differently ("Enabled" vs. "Disabled" or screensaver timeout "10
minutes" vs "20 minutes"), the OU GP will always win. It's a "last
writer win" approach here.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: What is a conflict with regards to OU rules? [message #159690 is a reply to message #159671] Tue, 04 August 2009 06:13 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
If a setting in the local is set and the same setting at the site, domain or
ou is not configured then the local will win. Otherwise anything set in the
three latter will win.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Bo" <Bo@discussions.microsoft.com> wrote in message
news:94D6D0F6-3DDD-4E16-8C82-D049BC299F0C@microsoft.com...
> As I understand it, the local security policy is read first, then the
> domain
> policy and then the O.U GPO if there is one. If that is correct my
> question
> is, if on the local policy I have a setting enabled and configured, but on
> the domain or OU GPO it is set not configured or disabled, is this
> considered
> to be a conflict? Will the local policy configuration be canceled out and
> ultimately be applied as not configured or disabled?
>
> I have the AD OU GPO set to link enabled, enforced, and user config
> disabled. This is a machine account only.
>
> Thanks in advance.
>
Previous Topic:In Active Directory, can define any User's to windows logon with out password entering?
Next Topic:Qucik Question on Windows Server 2008 AD
Goto Forum:
  


Current Time: Thu Jan 18 20:43:28 MST 2018

Total time taken to generate the page: 0.03470 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software