locked
Cannot apply GPO to default container RRS feed

  • Question

  • Hi,

    Im using GPMC on Windows Server 2008 while my DC is on Windows 2003.

    When navigates through the domain in GPMC, I can only see OU and custom OU created by admin.

    But there is no default container like Builtin, Computers, ForeignSecurityPrincipals, LostandFound, ProgramData, System, Users, and NDTS Quotas ?

    These containers are shown in Active Directory User and Computer but it's not shown in GPMC ?

    Please help me to understand this, how am I going to link a GPO for Computer and User under this default container?

     

    Thank you in advanced.


    ---Packie
    Thursday, February 10, 2011 12:50 AM

Answers

  • where can i find more info about GPO cant apply on container?

    I tried to search but couldn't find the result I wanted, perhaps i'm not using the correct key/term to search for


    ---Packie

    It can apply to a user or computer in the default container if linked/applied at the domain level (or any higher level).  You just can't link to the container, for more info 

     

    http://technet.microsoft.com/en-us/library/cc978249.aspx 

    "It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computers containers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance."

    Thanks

    Mike

     


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Thursday, February 10, 2011 6:29 AM
  • You cannot apply policies to these system, default containers such as Users and Computers, only organizational units.

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, February 10, 2011 1:05 AM

All replies

  • You cannot apply policies to these system, default containers such as Users and Computers, only organizational units.

     

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, February 10, 2011 1:05 AM
  • meaning that anything under Default Domain Policy even it is Enforced is not going to apply to these default containers?

    I have a lot of machines under container name Computers.
    I think these machines are set to be in here when they join domain & not moved to any OU yet.


    ---Packie
    Thursday, February 10, 2011 3:44 AM
  • A domain level linked policy will still apply to users and computers in the containers; but like JM mentioned you can't link a GPO to containers.

    If you want computers and users to be moved to a different OU instead of the default containers when they are joined then you can use redircmp and redirusr. More info on those here:   http://support.microsoft.com/kb/324949

     

    Thanks

     

    Mike


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Thursday, February 10, 2011 4:16 AM
  • where can i find more info about GPO cant apply on container?

    I tried to search but couldn't find the result I wanted, perhaps i'm not using the correct key/term to search for


    ---Packie
    Thursday, February 10, 2011 4:42 AM
  • where can i find more info about GPO cant apply on container?

    I tried to search but couldn't find the result I wanted, perhaps i'm not using the correct key/term to search for


    ---Packie

    It can apply to a user or computer in the default container if linked/applied at the domain level (or any higher level).  You just can't link to the container, for more info 

     

    http://technet.microsoft.com/en-us/library/cc978249.aspx 

    "It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computers containers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance."

    Thanks

    Mike

     


    http://adisfun.blogspot.com
    http://twitter.com/mekline
    Thursday, February 10, 2011 6:29 AM
  • This is it.

    Many thanks!!!


    ---Packie
    Thursday, February 10, 2011 12:09 PM