Group Policy

[SawPer]

Just a quick "basic" check question.

Do you have the users placed in an OU?
And you applied the GP to that OU?

If not, try that to make sure the GP settings are propagating correctly...

[tech_guru]

Originally posted here by thehorse13
Type GPUPDATE at the command prompt of one of your hosts. Try again. Report your results here.

The default Group Policy refresh rate is 90 mins for workstations and 5 mins for servers...

You Could Right Click on the Domain From AD Users and computers Select Properties...
Then Navigate to the Group Policy Tab...
Edit or Create a Default Domain Group Policy...
Under Computer Configuration Expand Windows Settings...Then Security Settings
Under Account settings Make the necessary changes depending on your requirements..

Close the GP Editor...Then run secedit /refreshpolicy from a workstation...Reboot and test changes...

[ammo]

Account policies are only applicable at the domain level and not to individual OUs.
While it wont complain if you set account policies on a GP applied to an OU, it will NOT take effect.

edit:

Oh, also, to check what policies applied correctly or not, (on XP) use gpresult (at the command line) and/or the "Resultant Set of Policies" (RSoP.mmc) plugin in the MMC.
The later is VERY usefull in diagnosing GP issues!


Ammo

[jbclarkman]

alright, let me apply this to the domain and see if it is effective that way. Will this also lock out administrator/domain admin accounts including the built in Administrator account?

[Tiger Shark]

Silly question.... Are you logging in as the domain administrator.... Because he can't be locked out.....

[RoadClosed]

Account policies are only applicable at the domain level and not to individual OUs.

I was planning on doing that... you sound like you are you sure? Would you know of a work around?

[Tiger Shark]

Road:

I really don't believe that information is accurate for several reasons.... Unfortunately I don't have the time to log into my work systems and _prove_ it.

I can say that under each OU there is both computer policies and user policies. Logically, there would be no point having the user policies if they did nothing. Add to that the ability to create a "Problem User" OU that restricts the users in it to what they can do and I would say the information is wrong.

At this point this is a slightly beer blurred answer with no solid facts to back it up.... they will come...

As an afterthought.... It might be a "no overide" issue on the domain policy.... But that's me starting to think when I probably shouldn't....

[ammo]

Here, confirmation... (with a little caveate...)

http://www.microsoft.com/resources/d...p_log_fann.asp

Account Policies

Account policies affect Windows XP Professional computers in two ways. When applied to a local computer, account policies apply to the local account database that is stored on that computer. When applied to domain controllers, the account policies affect domain accounts for users logging on from Windows XP Professional computers that are joined to that domain.

Domain-wide account policies are defined in the Default Domain Group Policy object (GPO). All domain controllers pull the domain-wide account policy from the Default Domain GPO regardless of the organizational unit in which the domain controller exists. Thus, while there might be different local account policies for member computers in different organizational units, there cannot be different account policies for the accounts in a domain.

By default, all computers that are not-domain controllers will also receive the default domain account policy for their local accounts. However different account policies might be established for local accounts on computers that are not domain controllers by setting an account policy at the organizational unit level. Account policies for stand-alone computers can be set using Local Security Policy.

Also reworded here: http://www.microsoft.com/windows2000...CEacctpols.htm


So basically,
1- domain accounts are only affected by the domain level account policy.
2- local accounts are by default affected by the domain level account policy
3- (and this is my caveate) the local account's policy can be overriden by an account policy set at the OU level BUT it will only apply to local user accounts, not the domain accounts that login localy.


Ammo

[SawPer]

Yeah, I think you're right Ammo.

Anyway, I thought the best way to find out is to test it, and sure enough, I can't make an OU get any other Account policy than what the Domain policy is set to..

That's just stupid though.. lol! I haven't really needed to setup specific GP Account policies on different OU's, I just have the same GP settings for the whole Domain. But I could very well see how it could be very beneficial to be able to set different Account policies on different OU's...!
Even tried to check the box, "No override" on the OU policy, but still no luck.. heh!

I even used RSoP to check what it "thought" the policy should be, and it says the OU policy is what goes, so even RSoP reports it wrong.. not very well thought through it seems.. !?!

Oh well... another stupid "flaw"... !

[Tiger Shark]

After some digging... and thanks for making me re-look at this... I found this:-

Group Policy is applied hierarchically from the least restrictive group (site) to the most restrictive group (organizational unit). Group Policy is also cumulative. Child directory service containers inherit Group Policy from parent containers, and Group Policy processing occurs in the following order: site, domain, and organizational unit. This means that if you have assigned a specific Group Policy to a high-level parent container, that Group Policy applies to all containers beneath the parent container, including the user and computer objects in each container. However, if you explicitly specify a Group Policy for a child container, the child container's Group Policy overrides the parent container's Group Policy.

Since the order is Site - _Domain_ - OU then this seems to clearly state that the policy applies at the OU level on top of the domain policy.

This seems to be confirmed by this

In general, Group Policy is passed down from parent to child containers. If you have assigned a specific Group Policy to a high-level parent container, that Group Policy applies to all containers beneath the parent container, including the user and computer objects in each container. However, if you explicitly specify a Group Policy setting for a child container, the child container's Group Policy setting overrides the parent container's setting.

Then there's the "fiddling" that can be done with the "No override" and "Block inheritance" settings and I'm pretty sure you can do anything you please.... If you do it right. The issue is that the policy is appled from the top level, (site), through the domain to the OU. The way it works is that if I set a policy, (let's forget the Site for now), at the domain level under the user policy that states that the users of this domain can't use Word then since that policy is set if it is "not set" at the OU level then the domain policy "wins". However, if it is set to enabled or disabled then the OU policy "wins". At the same time, if the OU policy is "not set" but the OU has Block Inheritance set then the domain policy doesn't apply.

Am I making myself clear here? It's the way I always understood AD to work with regard to policies.... I'll work harder to make myself clear if there are questions.....