Announcement

Collapse
No announcement yet.

Manually force user to specific domain to appy gpo

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Manually force user to specific domain to appy gpo

    I have a windows 2003 domain with two sites (primary and DR). The primary site has 2 DC (both are GC) and the DR site has 1 DC (GC). All of my users are in the primary site. My problem is when users login some of the users apply group policies from one of the primary sites DC and some users apply group policies from the DR domain Controller. Is there a command i can run which will give me the ability to specify which domian controller to process gpo's?

  • #2
    Re: Manually force user to specific domain to appy gpo

    clients will log in to the DC that is closest to them. It sounds like both your sites are on the same subnet, so the clients are logging in to any available DC. Are your DC's set up on different subnets in AD Sites and Services?

    Comment


    • #3
      Re: Manually force user to specific domain to appy gpo

      There is a very specific order in which GPOs are applied to users and/or machines. policies are processed first from the LOCAL MACHINE, then from the user/machine's SITE, then from the DOMAIN, then finally from the OU. At no time is the login DC a deciding factor for which GPOs to apply.

      It is not possible to configure two sites on the same subnet, as far as I'm aware.

      You should check whether user and machine policies are conflicting, and also whether later-applied policies are taking precedence over earlier ones.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Manually force user to specific domain to appy gpo

        Wow, I'm batting 0% today. Misread and misunderstood the question. Sorry. It would seem to me that an earlier setting is taking precedence. As you pointed out one DC in the domain cannot hand out different GPO settings than another DC in the same domain and since an object can only exist in one OU (or OU path), then it doesn't seem possible that an OU or Domain level setting could be causing this problem. It has to be a Local or Site level setting that is not being over-ridden at the Domain or OU level.
        Last edited by joeqwerty; 5th October 2007, 13:23.

        Comment

        Working...
        X