+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 R2 Thread, Linking GPO to AD in Technical; Hi folks, I'm trying to reverse engineer some of the setup here on our student domain. There are a number ...
  1. #1
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    868
    Thank Post
    776
    Thanked 17 Times in 15 Posts
    Rep Power
    9

    Question Linking GPO to AD

    Hi folks,

    I'm trying to reverse engineer some of the setup here on our student domain.

    There are a number of GPOs. Those that I created I setup specific user or computer groups for, and then added them under scope.

    The historic GPOs (created before I started here) seem to be done in a different way. The scope is set to Authenticated Users, but they appear to be directly connected to OUs in AD.

    How do you create a GPO that links directly to an OU? And how can I edit one that has already been created?

    (Using Server 2008 R2)

    TIA

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Fire up Group Policy Management Console.

    Right-click an OU in the left-hand window. Look at the options available on the menu.

    From there you'll work it out.

  3. Thanks to pete from:

    Gongalong (1st February 2012)

  4. #3
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    868
    Thank Post
    776
    Thanked 17 Times in 15 Posts
    Rep Power
    9
    Ah-ha! If I create an OU in AD it appears in GPM, and vice versa - I was wary of dabbling in case I broke something.

    Only problem now is it won't let me delete the OU I've created! It says "You do not have sufficient privileges to delete Test, or this object is projected from accidental deletion." I can't spot a way to unprotect it, if that's the case.

  5. #4
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    719
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    39
    Load up AD and click on the View menu at the top. Select 'Advanced Features'.

    Now right click on the OU you are trying to delete and select properties. Under the Object tab make sure that 'Protect object from accidental deletion' is not ticked. Click Ok and you can now delete the OU.

  6. Thanks to Admiral208 from:

    Gongalong (2nd February 2012)

  7. #5
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    868
    Thank Post
    776
    Thanked 17 Times in 15 Posts
    Rep Power
    9
    Thanks, that solved it.

    Out of interest, if I have the default policy and an OU policy with conflicting information, which policy wins?

  8. #6
    Admiral208's Avatar
    Join Date
    Mar 2008
    Location
    Bridgwater
    Posts
    719
    Thank Post
    176
    Thanked 63 Times in 55 Posts
    Rep Power
    39
    to work out the winning policy, open group policy management and select the ou you are interseted in. On the right hand side at the top there are 3 tabs, the middle one is Group policy Inheritance. Look at the tab and whichever policy is higher in the list is the winning gpo (There are a few exceptions but this is rule most of the time.) The policy with the biggest number is processed first and works towards policy 1 which is applied last.

    If you need to know exactly, you can run Group Policy Modeling to see which policy the settings are coming from.

  9. Thanks to Admiral208 from:

    Gongalong (3rd February 2012)

  10. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    The other rule is that Computer GPOs set will win over User GPOs set (if the same settings are available in both).

  11. Thanks to Michael from:

    Gongalong (3rd February 2012)

  12. #8


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by Gongalong View Post
    Thanks, that solved it.

    Out of interest, if I have the default policy and an OU policy with conflicting information, which policy wins?
    Default domain > * (default domain should be set to "enforced")

  13. Thanks to pete from:

    Gongalong (3rd February 2012)

  14. #9
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    868
    Thank Post
    776
    Thanked 17 Times in 15 Posts
    Rep Power
    9
    Thanks all.

  15. #10

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Quote Originally Posted by pete View Post
    Default domain > * (default domain should be set to "enforced")
    On the contrary you shouldn't even use the default domain policy except perhaps to set the account security settings and even then you can set that from other GPOs now. Keep the default domain policy as default as possible and configure new GPOs to store your settings in a logical way which makes it obvious what they do.

    With regard to which policies wins, policies in the same level of the AD tree can be ordered using the group policy inheritance. 1 is the highest ranking. If GPOs are in different levels/OUs then the GPO lower down the tree takes precedence over any higher in the tree. You can block inheritance on an OU to prevent GPOs higher in the tree from affecting objects in and below that OU and you can enforce specific GPOs to prevent their settings from being overwritten by lower down GPOs.

  16. Thanks to ChrisMiles from:

    Gongalong (3rd February 2012)

SHARE:
+ Post New Thread

Similar Threads

  1. GPO to remove printer properites
    By eejit in forum Windows
    Replies: 15
    Last Post: 21st May 2009, 02:27 PM
  2. Win32 SID path - linking sims to AD
    By jrubinstein in forum How do you do....it?
    Replies: 2
    Last Post: 22nd June 2007, 09:40 AM
  3. Connected over a slow link? GPO issue.
    By Heebeejeebee in forum Windows
    Replies: 6
    Last Post: 27th April 2007, 10:50 AM
  4. Refreshing MS Access linked tables to CMIS MS SQL
    By dickyfinn02 in forum MIS Systems
    Replies: 0
    Last Post: 23rd April 2007, 04:33 PM
  5. GPO to clear Internet History daily?
    By woody in forum Windows
    Replies: 8
    Last Post: 12th September 2006, 12:56 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •