Baffling Inheritance Problem

[David Leary]

We operate a single domain with multiple nested OU's. The default domain
policy is linked to the domain, enabled, but not enforced. I want to disable
Microsoft Messenger at this level, but enable it for certain OU's farther
down. I copied the default domain policy, renamed it, edited the two
Messenger settings to "not configured", linked it to the OUs I want to be
able to use Messenger, and enabled it .

That didn't work, Messenger is still disabled for these OUs. I blocked
inheritance for these OUs, but that didn't work either. I set Messenger
settings to "disabled" instead of "not configured. Still no good. I enforced
the policy. Still being overridden by the default domain policy. These OUs
only have this one modified policy linked to them.

How is it possible that a non-enforced domain policy can override blocked
inheritance and a policy linked and enforced even in a nested OU?

 

[Steven Umbach]

I believe that setting can be configured in either computer or user
configuration. Make sure that either the user or computer that you want it
applied to resides in the OU [or sub OU - scope of influence] where the policy
is applied. A not configured setting can be overridden by other policy because
only defined settings are able to override defined settings from a lower level
[meaning domain if you are in an OU]. I suggest you use Group Policy Management
Console RSOP or gpresult while logged onto one of the problem computers to see
what computer and user policies are being applied and use the /v. for verbose
mode that will give more detail on what settings are being applied from the
GPO's. --- Steve