Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[Window server R2 2012] Applying a diffrent GPO to each OU


  • Please log in to reply
10 replies to this topic

#1 Resilo

Resilo

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 07 March 2017 - 01:56 PM

So i have a GPO i created called new domain policy controlling the entire domain. But within the domain I have an OU

called Owners. I want to exclude the OU from the domain GPO called new domain policy and apply a seperate GPO to Owners called Owners GPO

 

 

in order to apply this GPO and make sure this is the only GPO controlling owners what are the steps i would have to take?


A little information for anyone curious

I am a novice computer technician.

my education is a diploma level in Network Systems Administration.


BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 07 March 2017 - 06:45 PM

After you created the OU and the GPO for it you right-click the OU and choose link to existing GPO. There is also a right-click option to block inheritance.


Edited by technonymous, 07 March 2017 - 06:45 PM.


#3 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:06 PM

Posted 07 March 2017 - 09:32 PM

You can do this in the delegation tab. Open the New Domain policy group policy object , select the delegation tab, click "advanced", add the "Owners" group and under apply group policy check the deny option. Now create the new owners policy and apply it to the Owners group only instead of the entire domain.
Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#4 Resilo

Resilo
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 08 March 2017 - 05:11 PM

thanks i was more thinking more something like the way technonymous suggested. However even  with that exact set up the Owners GPO is not being applied and instead the OU Owners is being controlled by new domain policy even though i have blocked the inheritance and linked/enforced the Owners GPO?


A little information for anyone curious

I am a novice computer technician.

my education is a diploma level in Network Systems Administration.


#5 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 10 March 2017 - 05:38 AM

Try right-clicking the default OU (parent) and click block inheritance and now link the custom new GPO to the new child OU. You can also in Group Policy Objects folder move the custom GPO above all the other default GPO's. That will change priority and ensure the custom policy is applied first.

 

Edit: Be sure to apply the changes in cmd: gpupdate/force


Edited by technonymous, 10 March 2017 - 05:40 AM.


#6 Resilo

Resilo
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 15 March 2017 - 10:48 AM

So even after a force update and making sure jedi council is enforced has inheritance blocked and is linked to owners. I double checked the password complexity but for whatever reason i can still create an account in the OU without any password complexity.

 

I have provided a screen shot to assist with questions about the set up

 

https://gyazo.com/9aa9fe38afd031553049366ffb95c0d9


A little information for anyone curious

I am a novice computer technician.

my education is a diploma level in Network Systems Administration.


#7 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 15 March 2017 - 01:52 PM

Ok you have gone into AD users and groups and created one OU called Owners and a gpo for it. You blocked inheritance on the OU. Now you can create a new sub OU within Owners OU. From within group policy management tool you Right-click the new sub OU and create a new gpo for it. Now going back to AD users and groups tools you create computers, users etc and their policy will apply and the "Parent" directory Owners OU will not delegate or propagate down as you have already right-clicked on Owners OU and blocked inheritance. You then move the sub OU PGOinto first place in the policy management. Then update the group policy.


Edited by technonymous, 16 March 2017 - 12:51 PM.


#8 Resilo

Resilo
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 15 March 2017 - 03:49 PM

so even after following your suggestion i am still experiencing the error that i can still create users that don't meet the specified complexity. I edited the GPO and under computer configuration the complexity is enabled. is there a different place under user configuration i can change this or is it still just a problem with the way i have the GPO configured?


Edited by Resilo, 15 March 2017 - 04:15 PM.

A little information for anyone curious

I am a novice computer technician.

my education is a diploma level in Network Systems Administration.


#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:03:06 AM

Posted 15 March 2017 - 05:29 PM

Create a security group in AD, add the users to that group and then add that group to the GPO and make sure that group has no permission to read or execute the GPO.



#10 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 AM

Posted 16 March 2017 - 12:50 PM

Yes, as Johnny said be sure to check users/groups permissions. You may have users in more than one group or OU. Remove/add them as needed in the proper parent or the child OU directory. Permissions in the parent is going to override the lower child.


Edited by technonymous, 16 March 2017 - 12:54 PM.


#11 sflatechguy

sflatechguy

  • BC Advisor
  • 2,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 19 March 2017 - 10:00 AM

"So even after a force update and making sure jedi council is enforced..."

 

If the domain policy you created is set to be enforced, blocking inheritance at the OU level won't prevent the policy from being applied.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users