+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows Server 2000/2003 Thread, GPO Inheritance in Technical; Hi, Within Active Directory I have several Organizational units each with their own GPOs. Basically if the top level has ...
  1. #1

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    616
    Thank Post
    93
    Thanked 75 Times in 67 Posts
    Rep Power
    26

    GPO Inheritance

    Hi,

    Within Active Directory I have several Organizational units each with their own GPOs. Basically if the top level has a policy set(e.g. security) should that be then inherited to all child objects unless it is over ridden. So as long as I don't configure it differently it will use it.

    Also, is there anyway to check how big the GPO is? I don't know if that's a stupid question, but our laptops seem to take ages to log on and I'm trying to figure out why.

    Regards

    Richard

  2. #2

    Join Date
    Jan 2009
    Location
    Essex
    Posts
    36
    Thank Post
    1
    Thanked 11 Times in 7 Posts
    Rep Power
    14
    Hi richard,

    Here is a good link regarding gpo's, specifically inheritance. Group Policy Inheritance.

    You can use group policy results wizard to see what GPO's are being applied. here is a link that will help you with that Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings

  3. Thanks to big_nath from:

    Tricky_Dicky (19th June 2009)

  4. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    183
    Quote Originally Posted by Tricky_Dicky View Post
    Within Active Directory I have several Organizational units each with their own GPOs. Basically if the top level has a policy set(e.g. security) should that be then inherited to all child objects unless it is over ridden. So as long as I don't configure it differently it will use it.
    Yes. Was it meant to be a question?

    Also, is there anyway to check how big the GPO is? I don't know if that's a stupid question, but our laptops seem to take ages to log on and I'm trying to figure out why.
    The actual files are in \\<domain>\sysvol\<domain>\Policies, one GUID folder per policy object.

  5. Thanks to powdarrmonkey from:

    Tricky_Dicky (19th June 2009)

  6. #4

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,682
    Thank Post
    49
    Thanked 484 Times in 351 Posts
    Rep Power
    144
    Could you not create a test OU outside of your normal tree/branch/leaf move one of the offending LT's into this do a gpupdate /force /sync /boot and see what happens?

    Im guessing your LT's are wireless and there is probably a whole lot more going on at login time than just your GPO's being applied!

    Find out which server your GPO is being copied from.
    Go to the server,
    Ping the offending client by both name and IP address.

    If you have a problem with either name or ip pings your issue could be DNS related.

    GPO's regularly fail when a client has more than one rDNS entry.

  7. #5

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    616
    Thank Post
    93
    Thanked 75 Times in 67 Posts
    Rep Power
    26
    Yes, it was meant to be a question, sorry.

    Cheers for the links, very useful.

    Rich

  8. #6

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    616
    Thank Post
    93
    Thanked 75 Times in 67 Posts
    Rep Power
    26
    m25man,

    It's a very simple network. I have 1 server at the moment which is doing everything.

    I suspect it is just a rubbish wireless network which is causing things to mess up but I have an evaluation of the Ruckus kit coming in on Monday . I've already waved the quote under the powers that be and they seem keen.

    Are there any other things that you could think of that could be slowing down logons? I'm using Mandatory profiles if that makes a difference?

    Rich

  9. #7

    Join Date
    Jan 2009
    Location
    Essex
    Posts
    36
    Thank Post
    1
    Thanked 11 Times in 7 Posts
    Rep Power
    14
    Quote Originally Posted by Tricky_Dicky View Post
    m25man,

    It's a very simple network. I have 1 server at the moment which is doing everything.

    I suspect it is just a rubbish wireless network which is causing things to mess up but I have an evaluation of the Ruckus kit coming in on Monday . I've already waved the quote under the powers that be and they seem keen.

    Are there any other things that you could think of that could be slowing down logons? I'm using Mandatory profiles if that makes a difference?

    Rich
    How big are the profiles? and how long is it taking to log on?

  10. #8

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    616
    Thank Post
    93
    Thanked 75 Times in 67 Posts
    Rep Power
    26
    Student Profile is 1,243KB.
    If it works, can take 10 minutes, but often they don't log on properly so you get things like H drive not mapped or icons missing etc.

    I have just changed some of the GPOs, like wait for network before loading -enable, which I'm hoping will mean that things are missed.

    Rich

  11. #9

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    183
    I'd blame your wireless network.

  12. #10

    Join Date
    Jan 2009
    Location
    Essex
    Posts
    36
    Thank Post
    1
    Thanked 11 Times in 7 Posts
    Rep Power
    14
    Quote Originally Posted by Tricky_Dicky View Post
    Student Profile is 1,243KB.
    If it works, can take 10 minutes, but often they don't log on properly so you get things like H drive not mapped or icons missing etc.

    I have just changed some of the GPOs, like wait for network before loading -enable, which I'm hoping will mean that things are missed.

    Rich
    the profile is not to big. It could be a logon script is hanging. The default time out is 10 minutes for that i beleive. Other than slow log on is the network quite responsive?

  13. #11

    Join Date
    Jun 2009
    Location
    Birmingham
    Posts
    616
    Thank Post
    93
    Thanked 75 Times in 67 Posts
    Rep Power
    26
    No, the network sucks.
    Have a call open with Link2ICT at the moment as they installed it. It is an all Cisco network which doesn't seem to be able to handle large file transfers?!?
    I was moving about 5GB from the server to a network drive last night and all the desktop icons dropped off the machines.
    Any pointers for setting up the Ruckus, or is it straight forward enough?
    Rich

  14. #12
    bob_uk2k's Avatar
    Join Date
    May 2009
    Location
    Ipswich
    Posts
    6
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi Rich,

    Robert from Net-Ctrl here.

    The Ruckus is very easy to setup.

    The Zone Director (ZD) which is the brains behind it all needs a static IP so you know where to find it with your web browser then all the access points should be left to get an IP from DHCP, they will find their own way back to the ZD. The ZD will give the access points the config you setup in the ZD and the firmware they need also.

    In the ZD you can setup one SSID or more which can let people on the network directly or challenge them with various methods to find out who they are all of which is fairly stright forward to do.

    Most people are very happy to see how good the start up wizard is on the ZD and once that's done the rest sorts it's self.

    Robert

  15. #13

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,682
    Thank Post
    49
    Thanked 484 Times in 351 Posts
    Rep Power
    144
    Quote Originally Posted by Tricky_Dicky View Post
    No, the network sucks.
    I was moving about 5GB from the server to a network drive last night and all the desktop icons dropped off the machines.
    Rich
    I guess that rules the wifi out then!

    What server?
    Which Raid Controller?
    How many disks in the array?
    What transfer speed are you getting over the wire on a 5Gb file transfer?

  16. #14

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    Basically if the top level has a policy set(e.g. security) should that be then inherited to all child objects unless it is over ridden.
    If you set something on the Default Domain Policy (generally speaking you shouldn't), but for example I do set proxy settings on the default GPO, as of course all users/machines need it to connect to the internet.

    As for everything else, if you have an OU and GPO called "Curriculum" anything under this will inherit your settings. Other OUs/GPOs such as Staff and MIS would not be affected as they are not within/under the Curriculum branch as it were

    As for your slow logons, it does appear to be wireless related. Link2ICT are very much pro Cisco due to its manageability, but to be honest I too have noticed wired file transfers are much slower than say in another fully HP network which I manage. I'm only speculating but my theory is that the security settings set are too strict and that it may be interpreting the large file transfer as a broadcast storm. I have also wondered whether this has contributed to BGFL's recent internet problems. All their switches and school gateways are Cisco. I don't think it's a co-incidence to be honest...

    What's logon like with your wired workstations? With a profile that size (similar to what I use) you're looking at a 30-60 second logon time in total. If you disable the wireless on the same laptop and connect an ethernet cable, is it any better? Have you tried rebooting all switches and access points?

  17. #15

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,159
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    125
    Your comments about slow network transfers for the 5Gb file probably do rule out wireless but a really quick way to find out more would be to just plug a laptop into a wired socket and log on - is it any quicker? Assuming you've got 802.11g wireless and 100Mbit networking then if the wireless is the problem then you'd expect to see a substantial speed increase. If you don't then you can probably say that it's not the wireless at fault.

    You can quickly see if the GPOs are causing a problem by creating a test OU and putting one machine in it. In the properties of the OU, block GP inheritance - in that way, no policies will apply and you get to see if they are having an adverse affect.

    If you find that the test OU now goes more quickly then there may be too much going on in the GPO settings. This can be complicated to fix. Some policies will be slow the first time they apply but then will take almost no time (for example, if you set a policy to change the permissions on the whole of program files then this could take minutes to apply but should only apply once)

    Google "userenv debug logging" to find out how to setup logging of the gpo application process. Basically, you end up with a log file showing you how long was spent at each stage of logon (remember to turn off the logging when you've finished - it adds to the logon burden!)

    Good luck!



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. EZ-GPO
    By pottski in forum Windows
    Replies: 3
    Last Post: 11th December 2008, 09:52 AM
  2. Replies: 1
    Last Post: 14th November 2008, 02:01 PM
  3. Inheritance permissions
    By sparkeh in forum Windows
    Replies: 7
    Last Post: 12th November 2008, 09:40 AM
  4. Removing a GPO
    By _Bat_ in forum Windows
    Replies: 12
    Last Post: 3rd May 2007, 05:27 PM
  5. Permissions Inheritance
    By meastaugh1 in forum Windows
    Replies: 10
    Last Post: 20th October 2006, 04:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •