locked
Group Policy RRS feed

  • Question

  • Hi,

    I've created a Group policy name PC policy which contain  computer restriction for users in my company. Recently i have found out this PC policy block the other policies which are on the server.

    To verify this thing, i have created a separated OU and block inheritance. After that I've added a pc for that OU (Blocked inheritance OU) and one by one added group policies. Each time i ran a GPRESULT on CMD. They worked fine until i add the PC policy . After i added the PC policy and ran GPRESULT again. Then i found out some of my group policies do not work. Then only i realized it happens due to this policy (PC Policy) . Is there any way to solve this problem.

    Dilshan

    Monday, June 7, 2010 7:46 AM

Answers

  • Hello,

    compare the rsop.msc output with the applied GPOs and see according to the order if the correct settings is applied. In GPMC you can see in the link order when the OU is marked in the right pane under Linked group policy objects.

    The lowest link order is the last applied one, so if for example 4 GPOs are linked to the ou 4 is applied first, then 3 , then 2 and then 1. So the active GPO if some settings are conflicting is 1. 


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, June 7, 2010 11:35 AM
  • Hi,

     

     

    As Meinolf mentioned, please double check the settings that may break the GPO inheritance in RSOP.msc or GPMC.msc.

     

    1. Enforced GPO/block inheritance OU

     

    2. GPO link order/processing order

     

    3. security filter

     

    4. Loopback processing

     

    5. Computer Configuration settings vs User Configuration settings

     

     

     

    Tuesday, June 8, 2010 5:32 AM
    Moderator
  • Hi,

    I figured out the problem. There was a policy conflict-ion so i have recreated those,

    Thanks and cheers

    Dilshan

    Wednesday, June 30, 2010 10:01 AM

All replies

  • Hello,

    sounds for me that you have conflicting settings inside the GPOs, did you control with rsop.msc logged on as a user to see the applied settings. Maybe rsop.msc will not show the complete ones, then use gpresult /z instead.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, June 7, 2010 9:12 AM
  • Can you tell me how to sort this out.... If there any confliction how can i sort this out?
    Monday, June 7, 2010 11:19 AM
  • Hi

    My company have 2008 R2 server and all the GPO'S are created on there....

    Monday, June 7, 2010 11:29 AM
  • Hello,

    compare the rsop.msc output with the applied GPOs and see according to the order if the correct settings is applied. In GPMC you can see in the link order when the OU is marked in the right pane under Linked group policy objects.

    The lowest link order is the last applied one, so if for example 4 GPOs are linked to the ou 4 is applied first, then 3 , then 2 and then 1. So the active GPO if some settings are conflicting is 1. 


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, June 7, 2010 11:35 AM
  • Hi,

     

     

    As Meinolf mentioned, please double check the settings that may break the GPO inheritance in RSOP.msc or GPMC.msc.

     

    1. Enforced GPO/block inheritance OU

     

    2. GPO link order/processing order

     

    3. security filter

     

    4. Loopback processing

     

    5. Computer Configuration settings vs User Configuration settings

     

     

     

    Tuesday, June 8, 2010 5:32 AM
    Moderator
  • Hi,

    I figured out the problem. There was a policy conflict-ion so i have recreated those,

    Thanks and cheers

    Dilshan

    Wednesday, June 30, 2010 10:01 AM
  • Your problem is solved but you gotta remember something that even when you block inheritence on an OU, if you have another GPO on a topper level which is enforced, then it doesn't really matter whether or not you have blocked inheritence on a lower level OU. The topper level GPO will be applied to that OU as well.

     

    Cheers

    Thursday, July 1, 2010 6:56 AM