[gptalk] Re: Assistance

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Dec 2006 10:02:44 -0800

Chris-
Welcome to the list. Because Restricted Groups policy, especially the kind 
where you are replacing the total membership of a group, does not merge, nor 
get undone if you block policy, the second solution presented below if your 
best choice here. That is, in the GPO linked to the OU where those computers 
exist, you would need to create a new Restricted Groups policy for that Remote 
Desktop Users group that includes all the groups defined in the domain GPO, as 
well as the new one you wish to add.

Darren


************************
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- 
the best source for GPO FAQs, video training, tools and whitepapers. Also check 
out the Windows Group Policy Guide, the definitive resource for Group Policy 
information. 

Download the new GPHealth Reporter trial version at 
http://www.sdmsoftware.com/products.php



-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of christopher.cozzalio@xxxxxxxxxxx
Sent: Wednesday, December 20, 2006 9:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Assistance

Sirs/Ma'ams,

I'm new to the GPO arena and I've been tasked with the following question.  I 
have attached the question and an earlier suggested "fix". I was told the 
prescribed "fix" was incorrect. I'd be most appreciative for any advice or 
suggestions available.  

The question:

In a lower OU from the root.  The intent is to apply a policy that puts a 
security group in ?Remote Desktop Users? on all of the computers in that OU.  
The only hurdle is there is a policy defined at the root level that puts J6 
Administrators in that group across the domain.
 
The problem is to apply the policy just to the lower level OU without changing 
the top level policy.

The answer I was told was incorrect:

Block inheritance at that OU and apply your new GPO at that OU. 
This will block all GPO's from above unless they are "enforced" and only 
apply your new GPO.

OR

Create the new GPO at the OU and set the restricted group policy the way you 
want it.  Since it is at the OU it should override the policy setting from the 
domain.

The OU was enforced. 

Cheers for anything you can provide.

Respectfully,

SGT Chris Cozzalio
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: