Announcement

Collapse
No announcement yet.

Different Sites and GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Different Sites and GPO

    Hi All,
    We have different sites in our organization and naturally we have DCs in each of these sites.

    The machines when we check are residing in the proper Site but the GPO that are applied to those machines are from a different site all together.

    Could anyone explain why or how could we fix it?

  • #2
    Re: Different Sites and GPO

    Are the GPO's linked to the site or the domain? The order of policy processing is such:

    LSDOU - Local, Site, Domain, OU

    You can have inheritance, blocked inheritance, no over-ride, enforced set at each level (except Local).

    So what is being applied from where?

    Comment


    • #3
      Re: Different Sites and GPO

      They are applied at the Domain level.
      We do not use sites to enforce GPOs.

      Comment


      • #4
        Re: Different Sites and GPO

        Well there you go then. You have no Site level GPO's so there is no GPO from another site being applied. The domain GPO is being applied to all computers and users in all sites, which is completely normal behavior. If you need something to be set at the Site level then creat GPO's for each site and set them to be enforced (no over-ride).

        Comment


        • #5
          Re: Different Sites and GPO

          If they are applied at the domain level then they consequently will be applied to the OU unless blocked.
          It is best you link the GPO at the OU you want the policy applied if you don't want it in all the domain.
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Different Sites and GPO

            I guess I am not explaining myself well.

            Let say that I have sites

            New York
            Chicago
            Los Angeles
            and
            Boston

            In GPMC I go to an OU and I make a GPO.

            I am in New York why do I see [after replication is all done] my GPO being applied from Boston let's say?

            Comment


            • #7
              Re: Different Sites and GPO

              If you set the Site level GPO to enforced (no over-ride) then it's settings will not be over-ridden at the Domain or OU level.

              Comment


              • #8
                Re: Different Sites and GPO

                Are you talking about computer settings or user settings? GPO's are applied to objects in their "path". If your user or computer account is in the Boston OU then those settings will be applied even if you are "physically" in New York. Can you give us more details on your setup?

                Comment


                • #9
                  Re: Different Sites and GPO

                  Originally posted by swiss View Post
                  I am in New York why do I see [after replication is all done] my GPO being applied from Boston let's say?
                  I am kinda of curious how do you see that?
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Different Sites and GPO

                    Hi L4ndy when you do a GPresult that is where I see it.

                    Cheers ilo

                    Comment


                    • #11
                      Re: Different Sites and GPO

                      Again, where is your computer and user account?

                      Comment


                      • #12
                        Re: Different Sites and GPO

                        The computer account is in the same OU where the GPO is applied.

                        I do care only about computer settings in the GPO, I do not have any users settings.

                        Also what I meant by Domain level is that I do not apply any GPO into sites and services.
                        I should have probably answered at the OU level.

                        Thank you again for your answers.

                        Comment


                        • #13
                          Re: Different Sites and GPO

                          That didn't really answer my question. Is your computer account in the Boston or New York OU? Is your user account in the Boston or New York OU?

                          Comment


                          • #14
                            Re: Different Sites and GPO

                            What I mean is that Boston DC applies the GPO.
                            Not that is in the Boston OU

                            Comment


                            • #15
                              Re: Different Sites and GPO

                              Originally posted by swiss View Post
                              Hi L4ndy when you do a GPresult that is where I see it.

                              Cheers ilo
                              Ok, By default the PDC Emulator roleholder is the DC responsible for processing GP changes and then they are replicated to the other DC.
                              Firstly, i'd check if the Sites are configured properly and replication works fine and then DNS is configured properly. This will help when the DC locator process kicks in.

                              Ta
                              Caesar's cipher - 3

                              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                              SFX JNRS FC U6 MNGR

                              Comment

                              Working...
                              X