Re: Limit to how far down a GPO will inherit?

From: lforbes (UseLinkToEmail_at_WindowsForumz.com)
Date: 01/03/05 

Date: 3 Jan 2005 15:01:44 -0500

"KevinW" wrote:
> Odd question I know, but I just can't figure out why this
> isn't working. I am trying to build a GPO to configure
> clients to my WUS server. At the root of the domain I have a
> the GPO created, it looks like this:
> [b:f5daca39bb]domainroot"POL Windows Update"[/b:f5daca39bb]
>
> Now the computer object sits down a couple OU's:
> [b:f5daca39bb]domainrootdepartmentstestcomputers"iss-2k04"
> [/b:f5daca39bb]
>
> For whatever reason (and there are no inheritance blocks
> anywhere down the chain), the GPO that sits at the domainroot
> will not apply to the computer object. Howver, if I create
> the GPO in the "test" OU in that path listed above, it applies
> just fine to the computer. The GPO management console lists
> the GPO in the root as inhertited in that computers OU, but
> like I said it doesn't apply.
>
> I wasn't sure if there was a limit to how far down a GPO
> applies. I don't think so, but it would be the only thing
> that explained this.

Hi,

There is no "limit" to how far down a GPO applies. I have about 20
sublevels. Check to see if the other policies are applying. I would
have guessed about the block policy inheritance. Have you checked ALL
your DC’s. Maybe one has a block and it hasn’t replicated but it is
the one doing the authenticating.

Also, make sure the DNS is working properly. It may have nothing to do
with your situation, but DNS is usually the culprit when GP’s don’t
apply. http://www.sd61.bc.ca/windows2000/dns.htm

I wouldn’t put the Updates at the Default Domain Level anyway because
then it will affect the servers. You Don’t want the servers rebooting
themselves with updates automatically.

Just a quick note. You mentioned WUS? Do you mean SUS? WUS is still in
beta form and not ready for regular deployment.
http://www.microsoft.com/windowsserversystem/wus/trial.mspx That may
be the problem if you are using a Beta program.
Cheers,

Lara 

-- 
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO-inherit-ftopict245271.html
Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.WindowsForumz.com/eform.php?p=748207

Relevant Pages

  • Re: Auto Update
    ... where the GPO is linked. ... > policies aren't being applied to the workstations entirely. ... > Only the User settings are, all the computer settings (which include the ... > I even tried moving the computer object into the same container as the ...
    (microsoft.public.win2000.group_policy)
  • Re: gpo security filter
    ... The User or Computer object must be within the ... scope of the GPO. ... Security) ... > into security filting and remove the authenticated ...
    (microsoft.public.windows.group_policy)
  • RE: Group Policy and XP Firewall
    ... - Move the computer object with default permissions to the new OU; ... - Create new GPO and Link it to new OU; ... - Configure the new GPO with Windows XP SP2 Firewall Settings that you need; ... - Verify GPO applied by running RSoP or view directly in windows firewall. ...
    (microsoft.public.windows.group_policy)
  • Re: NTFS permissions not being applied - a GP not being applied
    ... BJ Daniels schrieb: ... you linked the GPO to the OU, where the computer object is inside? ... -> The Target is in the scope of the GPO? ...
    (microsoft.public.windows.group_policy)
  • Re: designing -- single domain, single location
    ... a GPO only applies to a user or computer object. ... You do this by granting apply policy ... members of said group actually have permissions to do so. ...
    (microsoft.public.windows.server.active_directory)