Announcement

Collapse
No announcement yet.

OU Server Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OU Server Issue

    Hi All!

    I have a OU called "Servers" and in this added server machines and a group called "Servers"
    I have a GPO named "Servers" and this OU has filtering of only machines and the group called "Servers".

    I have ticked "block inheritance" but it still applies the default GPO on these server machines, why?

    Each machine is member of
    Servers
    Domain Computers
    Server Operators

    Do I need to remove Domain Computers from each server for it not to inherit default GPO?

  • #2
    Re: OU Server Issue

    Hi,
    Is the default domain policy link enforced by any chance?
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: OU Server Issue

      Default + Server GPO both have Link Enforced off
      Server GPO has Block Inheritance On

      Comment


      • #4
        Re: OU Server Issue

        i don't think you can block the default domain policy as it contains the default password/account settings etc (somebody feel free to correct me if i am wrong)
        why did you want to block it ?

        Comment


        • #5
          Re: OU Server Issue

          No, you can block the Default Domain policy as well as any Site level policies.

          Run gpresults against one of the servers and verify what GPO's are being applied and why.

          Comment


          • #6
            Re: OU Server Issue

            Originally posted by joeqwerty View Post
            No, you can block the Default Domain policy as well as any Site level policies.

            Run gpresults against one of the servers and verify what GPO's are being applied and why.

            ah i was previously reading an article about 2008 AD providing a new feature of being able to have multiple domain password polices so i assumed that in 2003 this wasn't possible by way of not being able to block the default. But anyway enough thread hijacking i will save that question for another day

            Comment


            • #7
              Re: OU Server Issue

              You might be right about the password policy in W2K3, but it is possible to block the Default Domain policy so I'm not sure how that affects the password policy for computers that have the Default Domain policy blocked. I've never looked into it as I manage a TS farm for external users and we have the all user accounts set with the "Password Never Expires" flag.

              Comment


              • #8
                Re: OU Server Issue

                Not to keep hijacking this thread (but it may be informative for some others) but I just ran gpresults against one of my TS servers and the only password policy being applied is from the GPO linked to the Server OU (with inheritance blocked).

                Comment


                • #9
                  Re: OU Server Issue

                  Originally posted by joeqwerty View Post
                  Not to keep hijacking this thread (but it may be informative for some others) but I just ran gpresults against one of my TS servers and the only password policy being applied is from the GPO linked to the Server OU (with inheritance blocked).
                  i might as well join in the hijack
                  is that on 2008 AD or 2003 AD ?,
                  here is the article i was talking about

                  http://www.windowsecurity.com/articl...Passwords.html

                  Comment


                  • #10
                    Re: OU Server Issue

                    It's on W2K3. The article is correct, I just checked and the settings in my Server OU GPO have no affect.

                    Comment


                    • #11
                      Re: OU Server Issue

                      It is applying default GPO as in the default GPO under user settings I have set flash player and adobe reader to install "assign". It installs this for the servers.

                      Could it be because I login with the user were it applies?

                      Comment


                      • #12
                        Re: OU Server Issue

                        IMO its not best practice to run software installs from your default domain policy, i like to keep software installs in separate GPO's. In most environments its far safer to make minimal changes to the default domain policy and create new GPO's as required. If i was in your situation i would remove the software installs from the default policy and create a new GPO. This will then give you the flexibility of linking/filtering the GPO to a OU/SITE/group membership without have to worry about blocking inheritance or enforcing link. Generally speaking the better the AD design, the less you need to worry about enforcing and blocking inheritance. Easy when you get to create yours from scratch, not so easy when you inherit one.
                        just my 2 cents worth, hope it helps.

                        Comment


                        • #13
                          Re: OU Server Issue

                          Thought that might be the case, will restructure the AD tomorrow to make effects

                          Comment

                          Working...
                          X