Group Policy- question

[TC]

New to Active directory.

got a question..

I create a top level OU named "X" and create a OU
named "Y" within it.
I create a GPO named "Z" at the domain/OU level and apply
it to the top level OU "X".

Will OU Y inherit the GPO from the OU "X".

I configured this on my server ( Testing server ) but when
I go to OU "Y" - properties - Group Policy tab , I do not
see the GPO listed there. I thought the OU Y will inherit
the group policy from parent OU X.
I have not blocked Policy inheritance on OU Y.

may be this is something basic that I am missing, all
answers are appreciated.

thanks

TC

 

[TC]

Thanks Steve I understand this concept, but what I want to
know about is inheritence.
top level OU has an OU in it. applied GPO to Top level OU,
does the Child OU inherit the GPO from the parent.
If it does then where can see what GPO is applied to this
child OU.
as when I tested this out, there is no GPO listed under
the properties- group policy tab of child OU.

thanks

TC

-----Original Message-----
Policies are applied in the order of local - site - domain - OU.
Conflicting settings will normally be overriden by the GPO "closest" to the
computer/user unless no override, block inheritance, or policy filtering is
used. Remember that the user/computer must be in the OU in order for that
GPO to apply [there is an exception to user configuration if loopback
processing is used, but that is not the norm]. Gpresult is helpful in
troubleshooting GPO issues. Policy changes are not applied immediately and
may take up to a couple of hours to propagate, and Active Directory needs to
be implemented correctly - especially dns. Dcdiag and netdiag are helpful in
determining that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us% 3B321709

http://support.microsoft.com/default.aspx?scid=KB;EN-

US;q250842&

New to Active directory.

got a question..

I create a top level OU named "X" and create a OU
named "Y" within it.
I create a GPO named "Z" at the domain/OU level and apply
it to the top level OU "X".

Will OU Y inherit the GPO from the OU "X".

I configured this on my server ( Testing server ) but when
I go to OU "Y" - properties - Group Policy tab , I do not
see the GPO listed there. I thought the OU Y will inherit
the group policy from parent OU X.
I have not blocked Policy inheritance on OU Y.

may be this is something basic that I am missing, all
answers are appreciated.

thanks

TC

.

 

[Steven L Umbach]

Yes if a user/computer is "downlevel" in a sub OU, the GPO polices
will flow down, but any conflicting policies will be normally overriden by
GPO closest to the user. For instance you have a top level OU named EAST and
an OU called SALES under that OU. In the EAST OU the setting for disable
Contol Panel is enabled and the setting for hide drives in Explorer is
enabled. In the SALES OU the setting for disable Control Panel is undefined
and the setting to hide drives in Explorer is disabled. The end policy for a
user in the SALES OU would be that Control Panel would be disabled and
viewing hard drives in Explorer would be enabled [because the "hide" setting
had been disabled"]. Hope that helps. By default when you create an OU,
there is no GPO for it. For the OU you need to select properties/Group
Policy/new to create a GPO that will initially have no settings
efined. --- Steve

Thanks Steve I understand this concept, but what I want to
know about is inheritence.
top level OU has an OU in it. applied GPO to Top level OU,
does the Child OU inherit the GPO from the parent.
If it does then where can see what GPO is applied to this
child OU.
as when I tested this out, there is no GPO listed under
the properties- group policy tab of child OU.

thanks

TC

-----Original Message-----
Policies are applied in the order of local - site - domain - OU.
Conflicting settings will normally be overriden by the GPO "closest" to the
computer/user unless no override, block inheritance, or policy filtering is
used. Remember that the user/computer must be in the OU in order for that
GPO to apply [there is an exception to user configuration if loopback
processing is used, but that is not the norm]. Gpresult is helpful in
troubleshooting GPO issues. Policy changes are not applied immediately and
may take up to a couple of hours to propagate, and Active Directory needs to
be implemented correctly - especially dns. Dcdiag and netdiag are helpful in
determining that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us% 3B321709

http://support.microsoft.com/default.aspx?scid=KB;EN-

US;q250842&

New to Active directory.

got a question..

I create a top level OU named "X" and create a OU
named "Y" within it.
I create a GPO named "Z" at the domain/OU level and apply
it to the top level OU "X".

Will OU Y inherit the GPO from the OU "X".

I configured this on my server ( Testing server ) but when
I go to OU "Y" - properties - Group Policy tab , I do not
see the GPO listed there. I thought the OU Y will inherit
the group policy from parent OU X.
I have not blocked Policy inheritance on OU Y.

may be this is something basic that I am missing, all
answers are appreciated.

thanks

TC

.

 

[Steven L Umbach]

I need to add that account policies [password, lockout,etc] for domain
accounts can only be applied at the domain level and will be ignored at any
other level. So if you are doing your testing with account policies, that
may explain any failed results. --- Steve

Yes if a user/computer is "downlevel" in a sub OU, the GPO polices
will flow down, but any conflicting policies will be normally overriden by
GPO closest to the user. For instance you have a top level OU named EAST and
an OU called SALES under that OU. In the EAST OU the setting for disable
Contol Panel is enabled and the setting for hide drives in Explorer is
enabled. In the SALES OU the setting for disable Control Panel is undefined
and the setting to hide drives in Explorer is disabled. The end policy for a
user in the SALES OU would be that Control Panel would be disabled and
viewing hard drives in Explorer would be enabled [because the "hide" setting
had been disabled"]. Hope that helps. By default when you create an OU,
there is no GPO for it. For the OU you need to select properties/Group
Policy/new to create a GPO that will initially have no settings
efined. --- Steve

Thanks Steve I understand this concept, but what I want to
know about is inheritence.
top level OU has an OU in it. applied GPO to Top level OU,
does the Child OU inherit the GPO from the parent.
If it does then where can see what GPO is applied to this
child OU.
as when I tested this out, there is no GPO listed under
the properties- group policy tab of child OU.

thanks

TC

-----Original Message-----
Policies are applied in the order of local - site - domain - OU.
Conflicting settings will normally be overriden by the GPO "closest" to the
computer/user unless no override, block inheritance, or policy filtering is
used. Remember that the user/computer must be in the OU in order for that
GPO to apply [there is an exception to user configuration if loopback
processing is used, but that is not the norm]. Gpresult is helpful in
troubleshooting GPO issues. Policy changes are not applied immediately and
may take up to a couple of hours to propagate, and Active Directory needs to
be implemented correctly - especially dns. Dcdiag and netdiag are helpful in
determining that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us% 3B321709

http://support.microsoft.com/default.aspx?scid=KB;EN-

US;q250842&



New to Active directory.

got a question..

I create a top level OU named "X" and create a OU
named "Y" within it.
I create a GPO named "Z" at the domain/OU level and apply
it to the top level OU "X".

Will OU Y inherit the GPO from the OU "X".

I configured this on my server ( Testing server ) but when
I go to OU "Y" - properties - Group Policy tab , I do not
see the GPO listed there. I thought the OU Y will inherit
the group policy from parent OU X.
I have not blocked Policy inheritance on OU Y.

may be this is something basic that I am missing, all
answers are appreciated.

thanks

TC




.