GPO help

[Ovvvy]

I created a GPO called Generic
I applied it to my HQ OU which has sub OUs

I run secedit refresh to enforce the policy.
I went to my client Evt Viewer and applied succesfully, I
double check the machine and it is inside the HQ OU and
still no luck!!!(huwaaa).
I check using GPresult and find my policy and here is the
order.
- local policy
- generic
- Default domain Policy

I guess order is wrong since my generic should be process
last? How can I change the order?

In my GPO security I leave it default (authenticated
users) does this mean that all users in my domain even if
they are outside HQ OU will be affected?

Help Pleasssssssseeeeeeee

 

[Frank A, Zanotti]

Let me see if I can Help, First I believe the order cant not be changed
meaning it should be: (1,Local 2, Site 3, Domain 4, OU), Now I believe the
order can be changed if you have multiple polices for the same OU meaning
Policy 1 and policy 2 policy 3 now if you move policy 3 to the top that is
the fist one to be set. The default order in which AD uses policy order
(LSDO) I don't think this can be changed, Can you please provide more Info
on what you trying to do so I can try to help some more.

 

[Frank A, Zanotti]

I read your question again let me try to add something here that I hope can
help. It all depends where the Policy is linked, If you have a policy linked
to an OU and Authenacated users have Read and Apply permission then only
users/computers in that OU are affected, unless you have child OU's then
they will also be afftected depending on how you set it up but by default
Policy inheritance is on. There are a few options that you can set that will
block the policy from affecting child OU's. Now you have a default Domain
Policy with the default permission being Authenicated users having Read and
Apply GP so all users in affect will be affected. But you can customize this
to you Orginazation. You can remove athenacated users and use groups, Just
dont use the deny permission because deny always take presidence and
everyone who logs on is an authenicated user. I hope this helps and always
research because there might be something I left out or I might not be
totaly correct.

 

[Chriss3]

Set the Option No Override to the Generic Policy

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup

If you found the information help full, comment it at:
http://www.itsystem.se/employers.asp?ID=1

 

[David Fisher [MSFT]]

Hello.

Please take a look at the domain and 'generic' ou containers to see the
policies that are linked to each one. This will ensure that we are only
applying the appropriate policies as expected.

What settings are not applying to the client?
You may want to run "gpresult /s" on the client for more details on the
policies being applied.

You can also enable winlogon logging for more details on group policy
application:
245422 How to Enable Logging for Security Configuration Client Processing in
http://support.microsoft.com/?id=245422

Best Regards,
David Fisher
Enterprise Platform Support