Announcement

Collapse
No announcement yet.

Enforced Site or OU GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enforced Site or OU GPO

    I've inherited a rather messy AD environment and I've been gradually trying to sort out some items. One of the problems I encountered recently was that my Internet Explorer proxy settings were not being applied via a site OU, and with a number of remote sites coming on board, I needed a solution.

    The solution I deployed eventually was to create a new site-based OU that applied proxy settings only and set it to enforced (a load of OU's had had inheritance blocked at some point), which seemed to do the trick.

    My issue now is that I'm trying to create a locked-down GPO to apply to a particular terminal server and want to apply an exception to the proxy server. I have created a new GPO and assigned it to the OU my terminal server is located in. I have specified that it is enforced too, but the site-based GPO still seems to be taking precedence. For the record, I'm using loopback processing with the 'replace' option specified so the user settings are only changed on this one server.

    My question is... If you enforce a site-based GPO and then subsequently create an OU with loopback processing enabled (and inforce that GPO), which GPO should win?

    Thanks in advance for any help!
    Chris

  • #2
    Re: Enforced Site or OU GPO

    Normally GPOs are processed in this order: local, site, domain, OU. Enforcing makes the parent object take precendence and prevents child objects from overwriting that policy. It also ignores block inheritance. Since site policies are processed first, enforcing it will win over an OU policy.

    Comment


    • #3
      Re: Enforced Site or OU GPO

      Thanks for that!

      Chris

      Comment

      Working...
      X