none
New GPO for domain controller OU

    Question

  • Hi there,

    Running Active Directory services on Windows Server 2008 R2 Standard.

    We need to unlink default domain controllers policy from one of the domain controller and copy existing default domain controllers policy to create a new one with required changes done on it. This new GPO will need to be mapped to only one domain controller not others.

    Would it break something ?

    Read the part where it says Important…

    https://technet.microsoft.com/en-us/library/dd378987(v=ws.10).aspx



    MCSE Certified

    Monday, February 9, 2015 3:47 PM

Answers

  • > COuld you please guide step by step process of security filtering on
    > this, as in should I remove Authenticated Users Group from security
    > filtering when i link new GPo to a single DC ?
     
    Create a copy of the DDCP, remove Authenticated users and add your
    computer. Link to DC OU, move upwards to position 1. Done :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, February 10, 2015 7:55 AM

All replies

  • I am assuming that you are wanting to change one setting in the default domain controllers GPO for a single DC. If so, create a new GPO that configures that setting. Link to the Domain Controllers OU and set the security filtering so that it only applies to that DC. Then select the Domain Controllers OU to see the link order of your GPOs. Change the link order so that your new GPO is listed as 1 (or above the default domain controllers GPO).


    If my answer helped you, check out my blog: Deploy Happiness

    Monday, February 9, 2015 4:02 PM
  • Thanks , but i went to some of the MS articles and they did state not to make changes to these OUs.. what say ?

    also, if i go by your advise, what should be security filtering in place


    MCSE Certified

    Monday, February 9, 2015 4:06 PM
  • > Thanks , but i went to some of the MS articles and they did state not to
    > make changes to these OUs.. what say ?
     
    Nonsense - as long as you KNOW what you are doing, the DDP and DDCP are
    useless :)
     
    On the other hand, if you do NOT know what you're doing, changing DDP or
    DDCP can easily break your entire domain :D
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 9, 2015 5:36 PM
  • COuld you please guide step by step process of security filtering on this, as in should I remove Authenticated Users Group from security filtering when i link new GPo to a single DC ?

    MCSE Certified

    Monday, February 9, 2015 5:41 PM
  • > COuld you please guide step by step process of security filtering on
    > this, as in should I remove Authenticated Users Group from security
    > filtering when i link new GPo to a single DC ?
     
    Create a copy of the DDCP, remove Authenticated users and add your
    computer. Link to DC OU, move upwards to position 1. Done :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, February 10, 2015 7:55 AM
  • Hi,

    May I know if you are able to configure the GPO for the perticular domain controller now?

    If you still got issues, feel free to post here.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 12, 2015 9:08 AM
    Moderator