GPO not working for DC to logon locaally

N

NWTEST

I created a group policy in my Domain controllers OU
called log_on_locally. This policy will allow some
accounts to logon locally so that they can install
software etc on my Domain controlers without having the
admin rights. I added the usrs/group to logon locally
rights permissions in the Computer configuration-windows
Settings-Security Settings-Local Policies.

However the particular user still cannot do anything on
the server even changing time or share a folder!

I checked gpresults and this is what I got

Local Policy
logon_locally
default domain controllers Policy
default domain Policy
Does it mean that my Logon_locally Policy has been
overwritten by Default domain policy.How I can make sure
that Logon locally will take effect please help.
...


..
 
C

Chriss3

You can set No Override on a specific Group Policy object link so that Group
Policy objects linked at a lower-level of Active Directory - closer to the
recipient user or computer account - cannot override that policy. If you do
this, Group Policy objects linked at the same level, but not as No Override,
are also prevented from overriding. If you have several links set to No
Override, at the same level of Active Directory, then you need to prioritize
them. Links higher in the list have priority on all Configured (that is,
Enabled or Disabled) settings.

If you have linked a specific Group Policy object to a domain, and set the
Group Policy object link to No Override, then the configured Group Policy
settings that the Group Policy object contains apply to all organizational
units under that domain. Group Policy objects linked to organizational units
cannot override that domain-linked Group Policy object.

You can also block inheritance of Group Policy from above in Active
Directory. This is done by checking Block Policy inheritance on the Group
Policy tab of the Properties sheet of the domain or organizational unit.
This option does not exist for a site.

Some important facts about No Override and Block Policy are listed below:

a.. No Override is set on a link, not on a site, domain, organizational
unit, or Group Policy object.
b.. Block Policy Inheritance is set on a domain or organizational unit,
and therefore applies to all Group Policy objects linked at that level or
higher in Active Directory which can be overridden.
c.. No Override takes precedence over Block Policy Inheritance if the two
are in conflict.
If you want to see what a Group Policy object is linked to, open it in the
Group Policy console, right-click the root node, click Properties, and then
click the Links tab. Click Find Now after setting the domain on the
drop-down menu.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO on Domain controllers OU for-Logon Locally 1
GPO for Local accounts on DC 1
Logon locally for DC 1
Default Domain Policy 2003 7
Incorrect GPResult result 3
GPO not being applied 2
local security policy does not get applied 2
\\servername\share logon failure for domain admins 1

Top