Limit to how far down a GPO will inherit?

[KevinW]

Odd question I know, but I just can’t figure out why this isn’t
working. I am trying to build a GPO to configure clients to my WUS
server. At the root of the domain I have a the GPO created, it looks
like this:
"domainroot\"POL Windows Update"

Now the computer object sits down a couple OU’s:
"domainroot\departments\test\computers\"iss-2k04"

For whatever reason (and there are no inheritance blocks anywhere down
the chain), the GPO that sits at the domainroot will not apply to the
computer object. Howver, if I create the GPO in the "test" OU in
that path listed above, it applies just fine to the computer. The GPO
management console lists the GPO in the root as inhertited in that
computers OU, but like I said it doesn’t apply.

I wasn’t sure if there was a limit to how far down a GPO applies. I
don’t think so, but it would be the only thing that explained this.

 

[lforbes]

Odd question I know, but I just can't figure out why this
isn't working. I am trying to build a GPO to configure
clients to my WUS server. At the root of the domain I have a
the GPO created, it looks like this:
[b:f5daca39bb]domainroot"POL Windows Update"[/b:f5daca39bb]

Now the computer object sits down a couple OU's:
[b:f5daca39bb]domainrootdepartmentstestcomputers"iss-2k04"
[/b:f5daca39bb]

For whatever reason (and there are no inheritance blocks
anywhere down the chain), the GPO that sits at the domainroot
will not apply to the computer object. Howver, if I create
the GPO in the "test" OU in that path listed above, it applies
just fine to the computer. The GPO management console lists
the GPO in the root as inhertited in that computers OU, but
like I said it doesn't apply.

I wasn't sure if there was a limit to how far down a GPO
applies. I don't think so, but it would be the only thing
that explained this.

Hi,

There is no "limit" to how far down a GPO applies. I have about 20
sublevels. Check to see if the other policies are applying. I would
have guessed about the block policy inheritance. Have you checked ALL
your DC’s. Maybe one has a block and it hasn’t replicated but it is
the one doing the authenticating.

Also, make sure the DNS is working properly. It may have nothing to do
with your situation, but DNS is usually the culprit when GP’s don’t
apply. http://www.sd61.bc.ca/windows2000/dns.htm

I wouldn’t put the Updates at the Default Domain Level anyway because
then it will affect the servers. You Don’t want the servers rebooting
themselves with updates automatically.

Just a quick note. You mentioned WUS? Do you mean SUS? WUS is still in
beta form and not ready for regular deployment.
http://www.microsoft.com/windowsserversystem/wus/trial.mspx That may
be the problem if you are using a Beta program.
Cheers,

Lara

 

[Guest]

Ensure that "iss-2k04" belongs to a group that has "read" and "apply group
policy" permissions set on the "..\test\computers" OU (Group Policy >
Properties > Security). Otherwise, "authenticated users" would already
include it (yes that covers also machines).

Check the sequence of GPOs listed at "..\test\computers" as well. The order
of application is Local GP > Site > Domain > OU > sub-OU > sub-sub-OU, etc.,
and the one appearing at the top most (of the GPO list) will take precedence.

Run through and see if any GPO further up the chain has "No override" turned
on.

Hope this helps.