Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » GPO question
GPO question [message #309850] Fri, 06 November 2009 10:27 Go to next message
Sawyer  is currently offline Sawyer
Messages: 315
Registered: July 2009
Senior Member
Hello

I am running in a FFL and DFL of windows 2003 native. I have a top level OU
that contains servers, I have attached a GPO to this OU that configures the
windows automatic update settings. I also have several child OU's created
under the parent, and these child OU's contain terminal servers. I have
created and attached several GPO's to a couple of the child OU's. So for
example to help map this out. The parent OU is called DEV, the child OU is
called DEV1, and DEV2, I have a GPO's attached to DEV that configures AU
settings for all servers in this OU. The DEV1 OU has 3 separate GPO's
attached to it. One that configures loopback processing, one that maps the S
drive to network share and the last GPO configures folder redirection. The
serves in DEV2 require the same settings, except the GPO that maps the S
drive needs to go to a different network share.

What I ended up having to do get this all to work, ( and it seems like a lot
of overkill to me) is create two separate OU's DEV1 and DEV2, put the serves
into the respective OU's, then create 3 GPO's for DEV1, then create 3 GPO's
for DEV2, on the DEV1 OU, I had to set the "block policy inheritance"
because the parent OU of DEV1 contained a GPO' that mapped the same drive
letter that the GPO attached to DEV1 and DEV2 maps. I had to do the same for
DEV2 OU, I had to set the "block policy inheritance" because the DEV1 OU
contained a GPO that mapped the same drive letter that a GPO attached to the
DEV2 OU maps. , I then had to go to the parent OU and set the "enforced"
check next to the GPO that configures the AU settings because this setting
needs to apply to all serves.

Here is my question.

If a parent OU has a GPO attached to and for example the GPO maps a drive,
and the child OU has a GPO and this GPO maps the same drive letter as the
GPO attached to the parent but to a different network share, then as I
understand how GPO inheritance works is if a GPO is attached to a parent OU,
and a GPO is attached to a child OU and both GPO's configure or set the same
settings, then to my understanding the GPO attached to the child OU would
apply? This didn't happen and this is why I had to set the "block policy
inheritance" on the child OU's

Thanks for any help
Re: GPO question [message #310113 is a reply to message #309850] Fri, 06 November 2009 16:14 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
You should be able to accomplish the same result by adjusting the precedence
of GPOs linked to the target OU...

hth
Marcin

"sawyer" <occompguy@cox.net> wrote in message
news:273F986F-E1C4-44F8-BCD7-D1971E536843@microsoft.com...
> Hello
>
> I am running in a FFL and DFL of windows 2003 native. I have a top level
> OU that contains servers, I have attached a GPO to this OU that configures
> the windows automatic update settings. I also have several child OU's
> created under the parent, and these child OU's contain terminal servers. I
> have created and attached several GPO's to a couple of the child OU's. So
> for example to help map this out. The parent OU is called DEV, the child
> OU is called DEV1, and DEV2, I have a GPO's attached to DEV that
> configures AU settings for all servers in this OU. The DEV1 OU has 3
> separate GPO's attached to it. One that configures loopback processing,
> one that maps the S drive to network share and the last GPO configures
> folder redirection. The serves in DEV2 require the same settings, except
> the GPO that maps the S drive needs to go to a different network share.
>
> What I ended up having to do get this all to work, ( and it seems like a
> lot of overkill to me) is create two separate OU's DEV1 and DEV2, put the
> serves into the respective OU's, then create 3 GPO's for DEV1, then create
> 3 GPO's for DEV2, on the DEV1 OU, I had to set the "block policy
> inheritance" because the parent OU of DEV1 contained a GPO' that mapped
> the same drive letter that the GPO attached to DEV1 and DEV2 maps. I had
> to do the same for DEV2 OU, I had to set the "block policy inheritance"
> because the DEV1 OU contained a GPO that mapped the same drive letter that
> a GPO attached to the DEV2 OU maps. , I then had to go to the parent OU
> and set the "enforced" check next to the GPO that configures the AU
> settings because this setting needs to apply to all serves.
>
> Here is my question.
>
> If a parent OU has a GPO attached to and for example the GPO maps a drive,
> and the child OU has a GPO and this GPO maps the same drive letter as the
> GPO attached to the parent but to a different network share, then as I
> understand how GPO inheritance works is if a GPO is attached to a parent
> OU, and a GPO is attached to a child OU and both GPO's configure or set
> the same settings, then to my understanding the GPO attached to the child
> OU would apply? This didn't happen and this is why I had to set the
> "block policy inheritance" on the child OU's
>
> Thanks for any help
RE: GPO question [message #312034 is a reply to message #309850] Mon, 09 November 2009 06:08 Go to previous message
Frank Keunen  is currently offline Frank Keunen
Messages: 7
Registered: November 2009
Junior Member
You can view the inheritance level in the GPMC, select the child OU.

http://technet.microsoft.com/en-us/library/cc757050(WS.10).aspx

Did you try to enforce the GPO in the child OU?

BR - Frank

"sawyer" wrote:

> Hello
>
> I am running in a FFL and DFL of windows 2003 native. I have a top level OU
> that contains servers, I have attached a GPO to this OU that configures the
> windows automatic update settings. I also have several child OU's created
> under the parent, and these child OU's contain terminal servers. I have
> created and attached several GPO's to a couple of the child OU's. So for
> example to help map this out. The parent OU is called DEV, the child OU is
> called DEV1, and DEV2, I have a GPO's attached to DEV that configures AU
> settings for all servers in this OU. The DEV1 OU has 3 separate GPO's
> attached to it. One that configures loopback processing, one that maps the S
> drive to network share and the last GPO configures folder redirection. The
> serves in DEV2 require the same settings, except the GPO that maps the S
> drive needs to go to a different network share.
>
> What I ended up having to do get this all to work, ( and it seems like a lot
> of overkill to me) is create two separate OU's DEV1 and DEV2, put the serves
> into the respective OU's, then create 3 GPO's for DEV1, then create 3 GPO's
> for DEV2, on the DEV1 OU, I had to set the "block policy inheritance"
> because the parent OU of DEV1 contained a GPO' that mapped the same drive
> letter that the GPO attached to DEV1 and DEV2 maps. I had to do the same for
> DEV2 OU, I had to set the "block policy inheritance" because the DEV1 OU
> contained a GPO that mapped the same drive letter that a GPO attached to the
> DEV2 OU maps. , I then had to go to the parent OU and set the "enforced"
> check next to the GPO that configures the AU settings because this setting
> needs to apply to all serves.
>
> Here is my question.
>
> If a parent OU has a GPO attached to and for example the GPO maps a drive,
> and the child OU has a GPO and this GPO maps the same drive letter as the
> GPO attached to the parent but to a different network share, then as I
> understand how GPO inheritance works is if a GPO is attached to a parent OU,
> and a GPO is attached to a child OU and both GPO's configure or set the same
> settings, then to my understanding the GPO attached to the child OU would
> apply? This didn't happen and this is why I had to set the "block policy
> inheritance" on the child OU's
>
> Thanks for any help
>
Previous Topic:Any affect?
Next Topic:GP Logon Script works first time at second user logon
Goto Forum:
  


Current Time: Wed Jan 17 04:11:21 MST 2018

Total time taken to generate the page: 0.04571 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software