Re: Default Domain Controller GPO Question

From: adfreak (rtivnan_at_comcast.net)
Date: 07/01/04

• Next message: Brian Desmond [MVP]: "Re: allowing denying drive letters?"
• Previous message: Poonam Desai: "net user /times?"
• In reply to: Darren Mar-Elia: "Re: Default Domain Controller GPO Question"
• Next in thread: Steven Umbach: "Re: Default Domain Controller GPO Question"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 1 Jul 2004 16:02:26 -0400

Excellent. When you say "thus, any policy set by the GPO lower in the list
will be overwritten by a conflicting setting on the GPO higher in the list",
by any chance do you have a URL you can link me to which states that as
proof? I need to put some documentation together.

Thanks again!

"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:%23NWEpQ6XEHA.4008@TK2MSFTNGP09.phx.gbl...
> The best solution would be to sort out what you really need in the
existing
> DC policy, rather than hoping that the new one doesn't screw up something.
> But, to answer your question, the best way would be to link a new GPO to
the
> DC OU and import your security template. In terms of conflicting settings,
> it depends upon which order the GPOs are linked--the higher GPO in the
list
> will process last and thus any policy set by the GPO lower in the list
will
> be overwritten by a conflicting setting on the GPO higher in the list.
Hope
> that helps.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Management
> http://www.gpoguy.com
>
>
>
> "adfreak" <rtivnan@comcast.net> wrote in message
> news:uui29J6XEHA.2408@tk2msftngp13.phx.gbl...
> > Here is my situation. The "Default Domain Controller Policy" for my
> > production AD has been modified numerous times (just the user rights
> > section). We are going to be moving to native mode from mixed mode
> shortly.
> > We would like to link a newly created DC Security policy.inf file via a
> GPO
> > to the Domain Controllers Container.
> >
> > For now, we want to keep the existing settins for the default DC GPO
> > (because we're not sure what will happen if we delete it because
previous
> > admins added numerous users/groups to certain user rights policies).
How
> > should we go about linking the newly created .inf? Do we simply "add" a
> GPO
> > and precede it before the Default DC one? What happens when some of the
> > user rights management settings conflict between the two as I know they
> > will? Which one will take affect? or will both?
> >
> > Is it bad to have two of them?
> >
> > Please advise
> >
> >
>
>

---

• Next message: Brian Desmond [MVP]: "Re: allowing denying drive letters?"
• Previous message: Poonam Desai: "net user /times?"
• In reply to: Darren Mar-Elia: "Re: Default Domain Controller GPO Question"
• Next in thread: Steven Umbach: "Re: Default Domain Controller GPO Question"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Software restriction policies not working ... Are the users local admins? ... Do you have the policy set to apply to all ... created a path rule of m:\ with setting of disallowed. ... I run rsop.msc whilst still logged on as the user and find that the GPO ... (microsoft.public.windows.group_policy) Loopback issues ... policy set in Computer Configuraiton. ... GPO in User Configuration has set to not display "My Computer" on desktop ... Computer Configuraiton portion of GPO is working fine, but none ... (microsoft.public.windows.group_policy) Re: Sticking GPO ... I this case what is the best way to impliment a none "Tatoo" GPO? ... > off a cached copy of the policy if they can't obtain an updated policy set. ... >> till seem to have some of the settings set in the GPO?? ... (microsoft.public.windows.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)