|
Home > Archive > 70-217 > November 2003 > Gpo question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| nero64 2003-11-22, 7:37 am |
| If you have a default domain GPO with the option - disable computer configuration settings and this GPO is also set to no override. Does this mean that every GPO that is beneath it will get its computer configuration settings disabled. I think it did when i tried it but just want to make sure. | |
| jeff_j_black 2003-11-22, 3:50 pm |
| It means that the default domain setting for the user will be applied with no overide, no computer settings will be applied at this level. Your computer settings from gpo below that should apply. | |
| curiousgeorge 2003-11-22, 11:32 pm |
| Any time you select the No Override option for a GPO, it will be applied to everything under it, even if a lower level selects block policy inheritence.
Also-
No Override is applied on a PER GPO basis.
Block policy inheritence blocks ALL GPO's from higher levels.
The only thing that can get past a block policy inheritence setting is the No Override setting.
This is where company politics and administrator muscle flexing comes into play.
And just to throw another kink in things-
If you have two GPO's at the same level and they conflict with each other (i.e. If you have two GPO's at the domain level- one says disable x,y,z and the other says enable x,y,z) the GPO that is listed higher on the list of GPO's will be the effective setting. How's that for confusing!
I used to be an MCSE Instructor. I was the subject matter expert on AD. I used to spend an entire day on configuring GPO's to demonstrate all of the above scenarios.
I know it's confusing, but after it sinks in, it makes sense. | |
| jeff_j_black 2003-11-23, 11:07 am |
| I just ran this in the lab. The workstation is a 2003 Member Server in a 2000 domain. Using 2003 tools 'enforced' is the same as 'no overide'. RSOP is resultant set of policy tool that reports what settings would be applied for a specified user on a specifed machine.
I first backed up the default domain policy.
I disabled the computer settings for the policy.
I verified that the policy was set to enforce.
I created an ou called 'test' and placed the workstation I was logged onto as domain\administrator, into 'test'.
I ran gpupdate.
Using the RSOP snap-in I did a logging mode query for domain\administrator logged onto the member server.
RSOP reported security settings (password policy, account lockout) as not defined.
I created a new gpo called 'test', imported the settings from the backup I made of the default domain policy.
I linked the gpo 'test' to the ou 'test' and ran gpupdate.
I refreshed RSOP and it indicated that security settings for password and account lockout were defined and received the settings from the gpo 'test'.
So the answer is yes. |
|
|
|
|