Re: Need help with multiple GPOs

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Graham Prentice (gprentice__at__oakville.ca)
Date: 01/07/05 

Date: Fri, 7 Jan 2005 16:23:52 -0500

OK, I've been playing a bit more with it and discovered something a bit
different.

top of tree
--OU1 has GPO1---OU2 has GPO2 (user object is here)
--OU3 has GPO3--OU4 has computer object (w/s user is logged into)

GPO1 has loopback processing=merge
GPO3 has loopback processing=replace

When user logs into w/s under OU4, it seems he gets GPO1.
I tried unlinking GPO1 and running gpupdate then gpresult on the w/s.
It says "The following GPOs were not applied because they were filtered out"
Well my wanted GPO is in the list. How is it filtered out? I've clicked
'Allow' for Domain Users' and authenticated users.
Any ideas?
Graham

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:u2KFzFP9EHA.2680@TK2MSFTNGP09.phx.gbl...
> The first thing to ascertain is what policies are winning in the
> application
> stakes. By default, unless no override is configured on a higher linked
> GPO.
>
> If you have some XP boxes, run the Resultant Set of Policy tool either as
> the logged on user, or if things are tied down too much, logon as
> administrator and run the RSoP and select the user you want.
>
> You need to see both the user and computer policy, especially when
> utilising
> loopback processing.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Graham Prentice" <gprentice_@_oakville.ca> wrote in message
> news:OFzQQLO9EHA.2016@TK2MSFTNGP15.phx.gbl...
> Hi we have several OUs with computer objects in each OU.
> Top---OU#1--GPO#1
> ---OU
> ---OU---OU#2--GPO#2---OU#3---GPO#3
> When a user logs into a computer in OU#1 we would like the GPO#1 to apply.
> For this we set GPO loopback processing mode to 'merge'
> Farther down the tree branches we have another OU with computer objects
> which we would like to override the GPO#1 with GPO#2.
> It seems GPO#1 likes to take affect even on OU#2.
> I've tried setting GPO#2 loopback processing to 'replace' but still not
> working.
> The users log into either OU's so user placement is in the default 'Users'
> OU.
> What's strange is that it did seem to work a while back, but now it's not.
> GPO#3 seems ok.
> Unfortunately things are locked down a bit and access to the cmd prompt by
> user is blocked by GPO.
> Any ideas?
> Thanks, Graham
>
>
>

Relevant Pages

  • Re: Group Policy for Software Update Services.
    ... the client software is working against a SUS server. ... > The GPO is applied to an OU with users, ... I will move a few computer objects in to an OU ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Update policy not being applied
    ... all my computer objects import into the Computers ... Its not a true OU where you can hang a GPO. ... computer objects sitting in the container are not going to have the GPO ... > Settings under the computer node apply to computers. ...
    (microsoft.public.win2000.group_policy)
  • Re: Need help with multiple GPOs
    ... unless no override is configured on a higher linked ... Hi we have several OUs with computer objects in each OU. ... For this we set GPO loopback processing mode to 'merge' ...
    (microsoft.public.win2000.active_directory)
  • Re: GPO Loopback Processing question
    ... > (not parent and child of each other) and you wish to apply loopback to ... > Darren Mar-Elia ... >> loopback processing as well? ... >> We have computer objects under each OU and would like to have user and ...
    (microsoft.public.win2000.group_policy)
  • Re: Find Creator/Owner For All Computers In OU
    ... frequently not done and systems don't receive the correct GPOs, ... Perhaps consider making the default OU for new computer objects ... which you effect by script from GPO. ... The info and shutdown will be seen at first boot after the join and it will ...
    (microsoft.public.windows.server.active_directory)