0

I'm trying to apply a custom GPO to an OU with a specific account in it. Even though I enforce the GPO, the default domain policy is still overriding my custom GPO and settings are not being applied to the account.

Questions:

  1. Is the Default Domain Policy not subject to Enforcement?
  2. How do I get a custom GPO to override the default domain policy?
I.T. Support
  • 611
  • 2
  • 11
  • 27

2 Answers2

1

The priority is based off of what position the GPO is in the list.

What you can try doing is selecting the custom group policy object that you created and move it ABOVE the default domain policy. This will make sure that your custom policy takes precedence and wont be overridden by the default domain policy.

byachna
  • 127
  • Are you referring to the OU in AD where I link the GPO? So rather than linking it to the OU that the account resides in I link it to say the domain? – I.T. Support Jan 05 '11 at 17:37
  • Yup! You want to link it to the domain. When you link it to the domain, I believe you can chose which accounts the policy is enforced on. – byachna Jan 05 '11 at 17:41
  • So if I only enforce the GPO on a specific account, then link that GPO to the domain, will the GPO override settings defined in the default domain policy that apply to 'authenticated users'? My concern is that applying the custom GPO to the domain will cause accounts not defined in my custom GPO that rely on the default domain policy for permissions to lose those permissions... – I.T. Support Jan 05 '11 at 18:01
  • You won't have to worry about that. If the accounts aren't defined in your custom GPO, they will NOT follow the rules defined in the custom GPO and they will continue using the default domain policy. You should be ok with applying the custom GPO to the domain as long as you have the specific user accounts that you want the custom GPO applied to defined inside of the custom GPO. – byachna Jan 05 '11 at 18:12
  • So I applied the recommended configuration, and my GP modeling results show the default domain policy as the winning GPO, and none of the permissions defined in the custom OU for the user are being applied. What am I missing here? – I.T. Support Jan 05 '11 at 19:20
  • If you go back to the group policy tab where you adjust what order the policies are in, highlight the default domain policy and hit "Options" and make sure that the "No Override" checkbox isn't checked. – byachna Jan 05 '11 at 19:41
  • Actually, your policy settings might be fine. It may just require a refresh on the machine(s) that your logging in from. Try logging into the account in question and run "gpupdate". The syntax and use is listed here: http://technet.microsoft.com/en-us/library/cc739112(WS.10).aspx – byachna Jan 05 '11 at 19:50
  • I employed gpupdate during the original test, still no luck. Curious, where do I find the TAB for group policy? Are you using the Group Policy Management MMC Snap In? I just have a tree view list on the left side of the MMC and details on the right... – I.T. Support Jan 05 '11 at 21:10
0

The trick was to "Block Inheritance" on the immediate parent OU for the child OU in question.

  • Right-click the parent ou of the ou you want to apply your custom GPO to, then click "block inheritance"
  • Apply your custom GPO to the child OU beneath the parent OU you just blocked inheritance on
  • From (domain controller) CMD prompt, type: gpupdate/force
  • Run GPO Modeling to confirm custom GPO settings are being applied

This worked for us. The only caveat is to remember that when you block inheritance on an OU, you prevent all GPO's above that OU from propogating their settings via inheritance, which means if you are relying on a GPO higher up in the schema for settings, you need to confirm they are still being applied to child OU's beneath the OU you've blocked inheritance on, as you may need to replicate these settings on the custom GPO you applied to the child OU.

I.T. Support
  • 611
  • 2
  • 11
  • 27