Re: starting over with GPO

Your description does not take into account the concept of Group Policy
Inheritance. By linking a GPO to the domain level, all OUs within the domain
will inherit those domain-level settings by default. In the example you
describe, you would only need to link the Domain GPO to the domain and Users
GPO to the Users OU - in other words, you would not need to link the Domain
GPO to the Users OU a second time.

See the following link for a description of Group Policy Inheritance:

http://technet2.microsoft.com/WindowsServer/en/library/212eb1fd-11f4-465f-b243-73e542d06b2c1033.mspx?mfr=true

HTH

Laura E. Hunter - MVP: Windows Server - Networking
"UWRFREPORTER04" <UWRFREPORTER04@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F61ACD30-FB3D-4D57-BE5B-240BDC4453B5@xxxxxxxxxxxxxxxx
I decided to start over with figuring out my problems with GPO and accept
the
possibility the way I have my test lab set up is a reason not everything
is
being applied the way I want or how I think it should be. Ii'm running a
180
day trial of server 2003 on virtual pc, connected to a router-connected to
a
modem-back down to my laptop.

I decided to test it in a real environment I'm working on. The new DC is
not live and I'm the only one on the domain and I'll use myself as a test.

Here is what I want to do, want to make sure I have the right idea.

Create a default domain policy with the account policies (password,
account
lockout, etc), apply that to the entire domain.

Create an OU called Users OU and place all our users into that and create
a
new gpo and link that gpo to the Users OU.

For a few in the IT dept, I will create a separte OU called IT and only
link
the default domain policy so they don't get applied the same settings.

My question is when I'm linking gpos for the Users OU, what order does it
need to be linked. I read that the last OU is applied. I want the
default
domain policy account policies to take affect.

If I have
1: Users OU
2: Default Domain Policy.

What would be the result. I don't want the account policies to be ignored
because there is nothing set in the Users OU.

Please let me know if this sounds good or seems like it would work (in
theory) the way I have it designed in my head.


.

Relevant Pages

  • Re: Passowrd complexity LOCAL Account
    ... Place this computer account into an OU. ... Then, link a new GPO to the OU, ... configuring the GPO's Account Policy like you want the local SAM to behave. ... > local user accounts with passwords that do not follow the ...
    (microsoft.public.win2000.group_policy)
  • Re: Domain Admin account and lockout Policy
    ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
    (microsoft.public.windows.group_policy)
  • Re: Domain Admin account and lockout Policy
    ... have different account policies for different domain user accounts, ... Topics, Group Policy Management, Concepts, Group Policy Object Editor ... Default Domain Policy Group Policy object (GPO) or in a new GPO that ...
    (microsoft.public.windows.group_policy)
  • Re: GPO Filtering issue
    ... Default Domain Group Policy. ... Other GPO's with account settings configured ... I created a GPO for not having users locked out. ... Account lockout threshold 50 invalid logon attempts ...
    (microsoft.public.win2000.active_directory)
  • RE: Account Lockout Policy
    ... > effect account policy from the domain level". ... > Controllers, sitting in the Domain Controllers OU. ... If you greate a GPO linked to Domain ... only one account policy is permitted per ...
    (Focus-Microsoft)