-
Hey, still nothing so far. We tried recreating it from scratch, maybe something was missing, but that didn't work either. I just wish there was a more verbose log somewhere showing exactly what's happening with the policy application. Everything works fine if we move the computers to the Test OU, but without them in there, it refuses to apply our GPO. We're playing with different permissions right now as well, maybe we missed something there.
I'll let you know if we figure anything out.
Thanks for the help!
Dave
-
Alright, keep me posted because I'll undoubtedly run into this issue someday and I'd like to understand exactly what's going on.
The one thing I was thinking is this. Use your Default Domain Policy for all other systems. Then use the Block Inheritance option on your "Test" OU. And link the GPO you created to "Test" OU. This should at least separate the two policies.
Just make sure that your Default Domain Policy is not enforced, as I'm fairly sure that will override any Block Inheritance options.
-
We just talked with our windows administrator, he doesn't think it works the way we're trying to do it. He says the safest way is to just create a sub-OU under the main container where the computers sit, and apply the GPO there. That way the GPO's move down from higher levels, and the sub-ou adds to them. (The sub-ou gpo will have highest priority, then the OU above it, etc all the way up to the default domain gpo.)
This is what our windows admin does, so maybe that's the only way to get it working. I figured it would be possible to apply GPO's to a group in one OU to affect computers in a higher OU, but maybe it's simply not possible after all. Maybe this is because of possible complications, what if the computer is part of multiple groups in multiple OU's, it would make figuring out the effective GPO setting a lot more complicated.
So as of now, I will stop working on the group thing, I'll fall back to the sub-ou solution for now. Unfortunately I just don't have that much time left to play around. Hopefully I can get a test box setup and home and I can play with it on my own time.
Anyways, thanks for the help ShagDevil, I really appreciate it!
Dave
