GPMC and icon descriptions

N

Neil Ruston

I have GPMC installed and working fine.

I have a forest with 4 domains, one root and 3 children.

Using a non-privileged account, when I launch GPMC, one of
the domains is shown in the left pane with a blue "!"
symbol next to it. None of the other domains have this
symbol.

Why does the symbol appear next to that domain? I have
been unable to find any info in the GPMC help
file/TechNet/Knowledge Base. I have not noticed that any
GPMC functionality is missing/unavailable as a result of
the ! symbol.

Thanks,
Neil
 
N

Neil Ruston

Thanks! You're quite right.

I cannot find the ref in the help file, but inheritance is
indeed blocked at the domain level. (I fail to see why
anyone would want to do that and fail to understand why
the option is available at the domain level).

Thanks again,
Neil
 
J

Jerry Cruz

Neil,

Since you can obviously set "Block Inheritance" at the domain level, it
seems to me that it should block all Site Policies for that domain that
aren't set with the "No Override" option. Sites may be contained within
Domains, they may span domains, or both. So, if I read this right and if I
follow the LSDOU rule of thumb, site policies should be blocked with that
setting. We know that blocking inheritance works at the domain level, but at
the site level too...and for both site and domain level GPOs?

So far, we haven't had any use for site policies and so I haven't tested
that particular scenario. There's no documentation on it that I've ever
read, but blocking site GPOs is what it sounds like it might do. If you
decide to test it by applying a Site Policy, please let me know how it comes
out. One more datum for GPO Administration.
 
N

Neil Ruston

So we're all agreed - there is little point is offering
the ability to block inheritance at the domain level,
since there are no GPOs which exist "higher" in the
hierarchy.

Neil
 
M

Matthew Wetmore [MSFT]

"So we're all agreed - there is little point is offering the ability to
block inheritance at the domain level, since there are no GPOs which exist
'higher' in the hierarchy."

Sorry, not correct. Rather than trying to post the entire document here, I
suggest reading the help file I mentioned below for a clarification on how
this works.

While "Sites" and "Domains" aren't in a direct hierarchy, there is an order
in which group policies linked to those items are processed - and
inheritance affects that.

I hope you won't find any useless features in GPMC - if it seems so, we'll
be happy to look at ways we can clarify them. We do need that kind of
feedback so we can plan future versions, and improve our documentation and
knowledge base articles.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Enterprise Admin Access 1
AD 2003 - Empty root or Not! 4
Problem with Global catalog 5
Windows TCPIP.SYS problem BLUESCREEN and reboot 8
The spacebar, next message, and conditional html 2
WIN 2000 domain trust 1
TRYING TO DELETE REDUNDANT OBJECT IN AD 2
ADPrep: problems adding a 2003DC to a W2K AD 1

Top