[gptalk] Re: Default Gpo overides everything?
- From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 8 Aug 2008 07:34:18 +1000
Hi Asaf,
What I suspect you have done is attach your main Policy at the domain level
and your administrator's policy at a lower OU. Because Group Policy
processing inherits Policies from the lower levels, the administrators will
get both sets of policies, i.e. those linked to their OU, plus those linked
at the domain level.
The exact behavior is quite complex, but normally any settings applied at
the child OU will override the settings at the domain level. Therefore if
you activate the policy at the domain level and then deactivate it at the
Administrator OU level, you will get the desired behavior.
You can also enable Blocking at the Administrator OU level which will stop
them getting Polices from the Domain level.
However if you activate No Override on the domain level policy, this will
turn it in to a "Super Policy" that no one can beat. It will ignore Blocking
and will be the last to be applied and so no one can override it.
You can also apply security filtering to say that some people do not get the
policy
What you should do is split your Corporate wide policy in to two parts. The
first part should be the part that everyone gets and is not to be changed
even for administrators. Connect that at the domain level and mark it as No
Override. The second half are "optional Policies" and would also apply at
the domain level. To cater for your administrators, you can use security
filtering (put the administrators in the deny apply list), you can use
Blocking so that the Administrators OU does not receive the policy, or you
can have another policy for the administrators that resets it to the desired
values.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Asaf Efrati
Sent: Friday, 8 August 2008 1:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Default Gpo overides everything?
Hello everyone,
I have another troubling issue with my Gpo, I have set the "default Group
policy" to deny certain options (or enable them)
which I think is fit for the whole company, my problem is that it seems my
administrator group who has another separate Gpo assigned
To them is effected by this default gpo, mainly it's the default
Administrator account and not let's say John (who is also part of the
administrator group), for now I just re-enabled the policy I denied.
For my general knowledge without direct relation to the my question
Can I set the gpo priority or order in which it is applied?
Thank you,
Asaf Efrati | IT & Security | eToro
A 32 Habarzel St. Tel Aviv 69710, Israel
M +972 545671587
F +9723 7686712
W www.eToro.com
etoro-logo
If you have received this email message in error, please notify the sender
immediately by telephone or return email and refrain from taking any action
relating to the content of the email.
Thereafter, please destroy the original message without making a copy. You
may not use the content of the email without first obtaining prior written
consent from the sender.
You may not forward this email to anyone other than the sender for
notification purposes.
Other related posts:
