GPO in one OU, affect computers in another
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: GPO in one OU, affect computers in another

  1. #1
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140

    GPO in one OU, affect computers in another

    OK, the title probably made no sense...

    I need to run a shutdown script that installs an exe on a couple hundred machines at our branch office.

    In my AD setup (just a test VMware box right now) I have created an OU called 'Test' where I applied the GPO. Now, if the computers are inside this OU, the GPO gets applied to them, the script runs on the computer during shutdown, everything is good.

    But, when we hit the production network, we don't want to move these computers into a new OU just to make this work. We also don't want to roll out the GPO on ALL the computers at once, just select ones to start. Slowly we'll be adding computers about 30 at a time.

    I created a security group and put it in the Test OU where the GPO is applied. I've added the computers in the default 'Computer' container to this security group. The computers do not get the GPO applied to them.

    Under the GPO Security Settings (looking under 'Delegation Tab --> Advanced) I have the security group with ALL permissions set, except 'Full Control', 'Special Permissions', and obviously I don't have any Deny ones checked.

    I'm 3 weeks on the job here. It's a lot of fun, but obviously I didn't learn everything I needed in school I've been fighting with this for a while, is there anyone here who can shed some light on it for me? Any help would be greatly appreciated! I'll continue googling around too, maybe I just haven't put in the right search strings yet.


    Thanks so much!


    Dave
    Alcohol & calculus don't mix. Never drink & derive.

  2. #2
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Well, let me open up with GPO processing can be very confusing. I personally hate the whole "Last Write Wins" schema.

    With that being said,
    Is this "Security Group" inside your "Test" OU linked to the GPO? Does this GPO need to be enforced? . How many GPO's are being applied to this "Test" OU? (Sorry about the questions, just trying to understand your setup)

    Also, I know there's a setting that can determine exactly which Users/Computers etc. will be allowed to process the GPO (towards the bottom screen when you've highlighted the actual GPO itself).

    Can you elaborate a bit more as to the setup?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    Sorry for the delay, I'm back from the weekend now.

    Alright, thanks for the response ShagDevil.

    Right now, the Test OU only has the one GPO assigned to it. The only other GPO is the 'Default Domain Policy' on the domain itself, which I haven't touched.

    The GPO I'm working with is linked to the Test OU, I can see that in the Group Policy Management interface. It also says Enforced and Link Enabled.


    The setting I think you're talking about is the "Security Filtering." Right now it's set to 'Authenticated Users' and also the security group I created. (This is under the 'scope' tab.)


    Thanks for your help, I'm still playing around trying to figure this out.



    Dave
    Alcohol & calculus don't mix. Never drink & derive.

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    Going off ShagDevil's hint about the linking... I played with the Group Policy Modeling, which showed me that the Test OU's GPO was not being applied to them. I thought that just having the Security Group inside the Test OU was enough to have the member client computers have the GPO applied to them too, even if they're outside of the OU.

    So, I linked the GPO to the domain, not just the Test OU, and the GPO is now being applied to the computers. I guess this is technically a workaround? Or is there still a way to have the GPO assigned to the group computers more directly?


    I'll try to illustrate this:

    My active directory:

    DaveTest.local
    --> Computers
    -------> All my client computers, who are members of security group 'lockdown'
    --> Test (OU)
    -----> lockdown (the security group, who has the client PC's as members)
    -----> My GPO with the Shutdown script, linked to this OU

    My GPMC:
    Forest
    -Domains
    -->DaveTest.local
    ----->'Default Domain Policy' (I linked the Test OU GPO here which made it work, but originally it wasn't here)
    ----Test (OU)
    ------>My GPO


    Does that make sense?

    EDIT: Never mind, now even if I pull a client computer out of an OU, the GPO still gets applied to them. (Even if they aren't in the security filtering either...) So back to square one I guess

    EDIT 2: OK, I played with the Security Filtering. I removed the 'Authenticated Users' and left only the 'lockdown' security group, now it seems to be working. So is this the correct way? Do I really have to link the GPO at the domain level as well? not just the OU with the security group in it?


    Thanks!
    Last edited by dstevens1958; July 7th, 2008 at 07:38 PM.
    Alcohol & calculus don't mix. Never drink & derive.

  5. #5
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    The GPO I'm working with is linked to the Test OU, I can see that in the Group Policy Management interface. It also says Enforced and Link Enabled
    Ok. First it should process your Default Domain Policy, then this GPO linked to your "Test" OU. And even though you have a nested "Security Group" OU, your GPO should still apply because it's the only GPO being processed.

    You know, before we go any further. When you added this "Security Group" OU, to your '"Test" OU, did you happen to run "gpupdate" on the computers added to this new group (before testing the script)?

    I just read your most recent reply and it's still possible that "gpupdate" could be the culprit. Depending on when your systems refresh their policies.
    Last edited by ShagDevil; July 7th, 2008 at 07:34 PM.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    OK, thanks for the reply. I just did my second edit.

    Yes, I've been running 'gpupdate /force' on the clients before I reboot them.

    So again with my second edit before I noticed you'd replied:

    I played with the Security Filtering. I removed the 'Authenticated Users' and left only the 'lockdown' security group, now it seems to be working. So is this the correct way? Do I really have to link the GPO at the domain level as well? not just the OU with the security group in it?
    Alcohol & calculus don't mix. Never drink & derive.

  7. #7
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Do I really have to link the GPO at the domain level as well? not just the OU with the security group in it?
    No, you shouldn't have to. You should be able to apply your GPO without linking it to the domain.

    Ok, let's keep at it. Another question, is your Default Domain Policy also being enforced?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    Thanks!

    Ok, yes, when I run the query in the Group Policy Modeling, it shows the Default Domain Policy is being enforced. When I unlink the GPO from the domain level, that GPO is no longer being enforced on the client.
    Alcohol & calculus don't mix. Never drink & derive.

  9. #9
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    No problem.

    Listen, I have to run out to lunch but, I'll think about this a bit and get back to you.

    I'll leave on this thought; My guess is that your Default Domain Policy is probably overwriting any settings in your "Test" OU GPO (or vice versa?). I always get a bit confused when it comes to enforcing multiple policies.

    Keep me up to date!
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  10. #10
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Any luck as of yet?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

Similar Threads

  1. Why computers are better than women.....
    By cream47 in forum Tech Humor
    Replies: 3
    Last Post: November 27th, 2004, 01:05 PM
  2. history Of computers
    By w0lverine in forum Other Tutorials Forum
    Replies: 2
    Last Post: December 29th, 2003, 11:23 PM
  3. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  4. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  5. Replies: 1
    Last Post: July 15th, 2002, 04:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •