Re: Removing One Server from Group Policy

This was great information, and already I'm starting to feel much
more comfortable with group policy. One last point needs
clarification:

It looks like disabling an option by deselecting the "Enable"
option in a child group policy does NOT undo the "Enable" option
selected in its parent. For purposes of comparing Enable versus
Not Enabled, across child and parent group policies, it looks
like Microsoft is employing "OR" logic. If any of the policies
being applied has Enable, then the option is Enabled with that
group policy's sub options. If two or more group policies have
the same option Enabled, then it is the last one that is applied
whose Enabled options are applied. Is it right?

The behavior that led me to this conclusion: I applied:

Default Domain Policy
Server Domain Policy // server OU is under the root
Proxy Server Domain Policy // proxy server OU is under the
Server OU

Default is where most of the settings exist. Servers currently
has no settings enabled. Proxy Server has just one setting
enabled, and its sub-value is different than the one in Default
Domain Policy.

The net result when all was said and done: on the Proxy Server
all of the Default Domain Policies were in effect with the
exception of the one option that was set in Proxy Server Domain
Policy. The fact that those same options were disabled in
Server and Proxy Server Domain Policies was ignored. That's
not a bad thing. I just need to understand the expected result.

--
Will
Internet: westes at earthbroadcast.com


"Glenn LeCheminant" <the.only(delete)@gmail dot com> wrote in
message news:%23UHnk%232bFHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
> > Case 2: List Only New Group Policy. In this case the Group
> > Policy list for Proxy Servers reads:
> >
> > Proxy Server Group Policy
> >
> > What I am not clear on in this case is how are the parent
> > policies being applied? What is the difference between Case
2
> > and Case 1 in terms of what gets applied and in what
priority?
> >
> GPOS are always applied in the following order.
> L local
> S Site
> D domain
> OU organizational unit.
> sub OU
>
>
> Your linking Servers group policy and default domain group
policy to the
> proxy servers OU will not change what policies are applied.
> The processing will always follow the order I layed out.
Exception to this
> rule is the use of 'no override'
> In your specific example (case 1), the servers GPO is also
linked to the
> Servers OU, and the default domain policy is also linked to the
domain.
> Therefore the computers in proxy servers OU will apply the
servers and the
> default domain policies twice, because you also linked the
server GPO and
> default domain GPO to the proxy server OU.
>
>
> >
> > Case 3: Block Inheritance. In this case the Group Policy
list
> > for Proxy Servers reads:
> >
> > Proxy Server Group Policy
> >
> > and Block Inheritance checkbox is selected. In this case I
> > guess the entire policy must be entered into Proxy Server
Group
> > Policy, and nothing from any parent inherits.
> >
> Setting block inheritance on the proxy server OU will force
these systems to
> not apply the policies linked to the servers OU or the domain.
Therefore if
> those policies have settings you need, then you would need to
define them in
> the proxy server GPO.
>
> >
> > It seems to me like Case 1 is less work than Case 3. I
would
> > prefer Case 2 if I could be sure that the inheritance won't
take
> > precedence over the one policy I list, simply because then I
> > don't need to maintain the parent relationships inside of the
> > child object.
> >
>
> Case 2 is the preferred way since any settings you define in
the proxy
> server GPO will take precedence.
> This is accomplished because this policy gets applied last.
>
> If you use the no override switch on any other GPOs in the
parent OUs, then
> it will force those GPOs to be applied last, and therefore take
precedence
> over the policies defined in the proxy servers OU.


.

Relevant Pages

  • Re: Registry tatooing
    ... It can list and clean true policies, ... Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php ... Well, to his disliking, the settings remained. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Policy question
    ... Policies" and Local Security Policy that is a subset of local Group Policy. ... the registry directly unless given direct and cohesive instructions ...
    (microsoft.public.windowsxp.security_admin)
  • RE: security policy not specified option
    ... Resultant Set of Policy does not in any way change the processing of Group ... processing different parts of group policy. ... Machine parses local policy and applies any settings contained in the ... parses computer configuration settings in those policies. ...
    (Focus-Microsoft)
  • Re: Multiple settings configured in one ou group policy
    ... The more policies that you have the more ... create a policy for every setting, as the more policies processed can have ... If you have policy settings that are going to change on a regular basis ... the group policy guide. ...
    (microsoft.public.windows.group_policy)
  • Re: Reset GP back to "out of box" ??
    ... Administrative Template policies (as opposed to ... select Import Policy and choose that setup security.inf file. ... you should remove the settings in the domain ... Group Policy Management solutions at http://www.sdmsoftware.com ...
    (microsoft.public.windows.group_policy)