Linking GPO to AD

[Gongalong]

Hi folks,

I'm trying to reverse engineer some of the setup here on our student domain.

There are a number of GPOs. Those that I created I setup specific user or computer groups for, and then added them under scope.

The historic GPOs (created before I started here) seem to be done in a different way. The scope is set to Authenticated Users, but they appear to be directly connected to OUs in AD.

How do you create a GPO that links directly to an OU? And how can I edit one that has already been created?

(Using Server 2008 R2)

TIA

[pete]

Fire up Group Policy Management Console.

Right-click an OU in the left-hand window. Look at the options available on the menu.

From there you'll work it out.

[Gongalong]

Ah-ha! If I create an OU in AD it appears in GPM, and vice versa - I was wary of dabbling in case I broke something.

Only problem now is it won't let me delete the OU I've created! It says "You do not have sufficient privileges to delete Test, or this object is projected from accidental deletion." I can't spot a way to unprotect it, if that's the case.

[Admiral208]

Load up AD and click on the View menu at the top. Select 'Advanced Features'.

Now right click on the OU you are trying to delete and select properties. Under the Object tab make sure that 'Protect object from accidental deletion' is not ticked. Click Ok and you can now delete the OU.

[Gongalong]

Thanks, that solved it.

Out of interest, if I have the default policy and an OU policy with conflicting information, which policy wins?

[Admiral208]

to work out the winning policy, open group policy management and select the ou you are interseted in. On the right hand side at the top there are 3 tabs, the middle one is Group policy Inheritance. Look at the tab and whichever policy is higher in the list is the winning gpo (There are a few exceptions but this is rule most of the time.) The policy with the biggest number is processed first and works towards policy 1 which is applied last.

If you need to know exactly, you can run Group Policy Modeling to see which policy the settings are coming from.

[Michael]

The other rule is that Computer GPOs set will win over User GPOs set (if the same settings are available in both).

[pete]

Thanks, that solved it.

Out of interest, if I have the default policy and an OU policy with conflicting information, which policy wins?

Default domain > * (default domain should be set to "enforced")

[Gongalong]

Thanks all.

[ChrisMiles]

Default domain > * (default domain should be set to "enforced")

On the contrary you shouldn't even use the default domain policy except perhaps to set the account security settings and even then you can set that from other GPOs now. Keep the default domain policy as default as possible and configure new GPOs to store your settings in a logical way which makes it obvious what they do.

With regard to which policies wins, policies in the same level of the AD tree can be ordered using the group policy inheritance. 1 is the highest ranking. If GPOs are in different levels/OUs then the GPO lower down the tree takes precedence over any higher in the tree. You can block inheritance on an OU to prevent GPOs higher in the tree from affecting objects in and below that OU and you can enforce specific GPOs to prevent their settings from being overwritten by lower down GPOs.