|
Home > Archive > 70-217 > December 2002 > Problems with GPOs
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Problems with GPOs
|
|
| Turbodog 2002-12-15, 7:26 am |
| Help! I’m having problems with GPOs. I’ve setup two GPOs applied at the domain level. On both of them, I’ve enabled hide all icons, which is under user configuration, administrative templates, desktop.
Now it’s my understanding that GPOs are applied from bottom to top, with the GPOs at the bottom of the list being applied and processed before the GPOs above. However, the precedence of GPOs in a list is just the opposite, the GPOs higher up the list take priority over the GPOs lower.
Now the first thing I did was enable the higher policy and disable the lower policy. Remember, I only have two policies in my list, both configured to hide all icons. I logged off and logged back on, and the desktop icons were hidden. Great, that’s what was supposed to happen, since the lower policy was disabled and the higher policy up was enabled. The higher policy was processed and applied.
Next, I left the GPO lower on the list disabled, like it was before, but also configured it to No Override. The GPO higher on the list remained enabled as it was previously configured. I logged off and logged backed on. The desktop icons were hidden. Not good! My book said the desktop icons should be visible, since the No Override should have prevented inheritance and blocked the GPO configured higher from being processed and applied.
Next, I reconfigured the GPO lower on the list with the hide all icons not configured. The GPO higher on the list remained enabled as it was previously configured. I logged off and logged back on. The desktop icons were hidden. Fine, if I understand the process correctly, that’s what was supposed to happen, since the lower GPO was processed first, but the higher GPO took precedence when it was processed and since it was higher up the list, it had priority.
Next, I reconfigured the GPO lower on the list with the No Override and left it at the hide all icons not configured. The GPO higher on the list remained enabled as it was previously configured. I logged on and logged off. The desktop icons were still hidden! Not what I expected, since the GPO lower on the list was processed first with the No Override enabled, which should have prevented inheritance and blocked the higher GPO from being processed and applied.
Next, I switched the positions of the two GPOs. I moved the GPO that was higher to the lower position and left it configured at hide all icons. I moved the GPO that was lower to the higher position and left it at hide all icons not configured. I logged on and logged off. The desktop icons remained hidden. Again, not what I expected, since it was my understanding that although the GPO lower on the list was processed first, the GPO higher on the list, the one with the hide icons not configured, was suppose to have priority and take precedence.
Next I configured everything identically to the way it was immediately above, but added the No Override to the lower GPO set to hide all icons not configured. I logged off and logged on. The desktop icons remained hidden again! Now I’m thoroughly confused!
In the end, disabling the GPO configured to hide all icons was the only way I could get the desktop icons to show up.
Can anyone please tell me what I’m missing? I don’t know if I’m screwing up or my system is screwing up. I’m running Windows 2000 Advance Server with DNS, DHCP, WINS, one Domain still in mixed mode, and several clients. Everything was going just smooth till I hit this snag. Maybe I need to switch to Native Mode? Thanks in advance, and I’m sorry for the length of this post. | |
| Tech Ranger 2002-12-15, 9:57 am |
| An AD container can have multiple GPOs linked to it. You can set the precedence by moving the GPOs up and down within the link. This relationship that GPOs have to one another is seperate from the relationship they have in terms of how a user or computer has policy applied based on the user or computer existing within various places in AD to which policies can be applied.
A computer can have local policies applied. The same computer can have policies applied to it by virtue of its existence within an AD site. The very same PC can also receive policies linked to the domain in which it resides. That very same box may also be part of an OU, or even child OUs within an OU. From these conatiners it can likewise receive and process polies. The "NO Override" option deals with preventing GPOs linked to containers lower on the pecking order from overriding settings contained in GPOs higher up. For example: At the domain we set a policy. The default behavior is that conflicting policies at the OU level will override the domain settings. To change this default behavior we set "No Override" at the domain level. No Override and Block Policy Inheritance have nothing to do with the relationship that multiple GPOs linked to the same container have to each other. That is determined by position in the list. | |
| Turbodog 2002-12-15, 11:38 am |
| I can't believe it, just as I finished typing that long monstrosity above, I remembered that you had to convert to native mode to gain full Group Policy functionality. Well I made the switch and GPOs are doing what they are supposed to now. Wonderful! Thanks for the response Tech Ranger. | |
| cm2gj 2002-12-16, 12:18 am |
| quote:
Originally posted by Turbodog
I can't believe it, just as I finished typing that long monstrosity above, I remembered that you had to convert to native mode to gain full Group Policy functionality. Well I made the switch and GPOs are doing what they are supposed to now. Wonderful! Thanks for the response Tech Ranger.
GPOs can be applied to domains, sites and OUs.
the most inner level GPO take over the upper GPO. for example. if you have a domain with 7 OUs and you kill control panel on the domain GPO and a gpo exist for OU number 1 (OU1) with different setting... the OU1 gpo is the gpo applied to all the computers and users on the OU1.
if you have
Domain1
OU1
OU2
OU3
and apply GPO1 to domain 1 all the OU1,2 and 3 receive the settings of the GPO1.
if OU1 have sub OUs like OUs1 OUs2 then all the gpo travel inside this path.
the no override option is used to prevent conflicts or provide a consistent GPO policy no matter what are configured below the applied container.
this rule don´t apply when you apply certain GPOs like min password lenght on a domain. this kind of GPO can only be applied to domain, not OUs.
Tech Ranger is master on GPOs!!! |
|
|
|
|