Re: Aftermath of RDIRCMP.EXE?
- From: Mygposts <Mygposts@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 3 Mar 2009 15:43:01 -0800
We are going to try creating a new OU, putting the machines in there,
blocking inheritance and adding the machines accounts to a security group
with Deny Read and Deny Apply Group Policy permissions on the Default Domain
Policy.
Should that work?
"Jorge Silva" wrote:
Hi.
Ok, check the policy settings that you want (as I already said, some
policies only work at domain level, ex: Account settings). Create a new OU
and create the machines inside that OU. On top of that OU, create and link
the GPO that you created before. Block inheritance for higher polices and
check if you have policies at Site, Domain Level or higher OU that are
enforced overriding the settings that you want.
Does this solve your problem? If not please post how the OU design is and
what policies are not working or that are being overrided by other policies.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"Mygposts" <Mygposts@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A0A3580D-74DD-47BB-8681-4DF733E26ED7@xxxxxxxxxxxxxxxx
The main issue is that thee is a special group of machines that had
extensive
policies set as local policies for testing purposes and they do not want
any
of those local settings undone or overrided by domain policies.
"Jorge Silva" wrote:
Hi
What will happen is that the computers will be default created in the OU
that you designate with REDIRCMP.
Regarding to the Default Policy GPO, you may have that Policy enforced
(as
already stated) or you're getting User definitions that don't apply to
computers but to users. Some of those settings can only be undone with a
new
policy at Domain level with higher priority over the Default Domain
policy
(but that won't solve your problem because it would still apply to all
users
in the domain because some of those settings are applied to the accounts
that are in the AD DB). For example password settings.
So the question is... What policies settings are you talking about?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services
"Mygposts" <Mygposts@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4432EA8A-3001-4B4A-AA24-6AFDA08D0899@xxxxxxxxxxxxxxxx
We are considering running this command so new machines will
automatically
go
into an ou with special policies if the tech forgets to precreate the
computer account in the correct OU.
However, we are concerned about side effects because we are using the
default Computers Container as a place to put machines that for
whatever
reason need to be exempt from all Group Policies including the Default
Domain
Policy.
We tried creating an OU and blocking group policy inheritance, but that
does
not block the default domain policy, so we had to move the machines
back
into
the computers container.
What will happen to the machines that are being stored in the default
Computers Container after running the RDIRCMP.exe command?
- Follow-Ups:
- Re: Aftermath of RDIRCMP.EXE?
- From: Jorge Silva
- Re: Aftermath of RDIRCMP.EXE?
- From: Ace Fekay [Microsoft Certified Trainer]
- Re: Aftermath of RDIRCMP.EXE?
- References:
- Re: Aftermath of RDIRCMP.EXE?
- From: Jorge Silva
- Re: Aftermath of RDIRCMP.EXE?
- From: Mygposts
- Re: Aftermath of RDIRCMP.EXE?
- From: Jorge Silva
- Re: Aftermath of RDIRCMP.EXE?
- Prev by Date: LDAP Query for memeber of one group
- Next by Date: Re: LDAP Query for memeber of one group
- Previous by thread: Re: Aftermath of RDIRCMP.EXE?
- Next by thread: Re: Aftermath of RDIRCMP.EXE?
- Index(es):
Relevant Pages
|
