Sign in with
Sign up | Sign in
Your question

Limit to how far down a GPO will inherit?

Last response: in Windows 2000/NT
Share
Anonymous
January 3, 2005 5:09:20 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Odd question I know, but I just can’t figure out why this isn’t
working. I am trying to build a GPO to configure clients to my WUS
server. At the root of the domain I have a the GPO created, it looks
like this:
"domainroot\"POL Windows Update"

Now the computer object sits down a couple OU’s:
"domainroot\departments\test\computers\"iss-2k04"

For whatever reason (and there are no inheritance blocks anywhere down
the chain), the GPO that sits at the domainroot will not apply to the
computer object. Howver, if I create the GPO in the "test" OU in
that path listed above, it applies just fine to the computer. The GPO
management console lists the GPO in the root as inhertited in that
computers OU, but like I said it doesn’t apply.

I wasn’t sure if there was a limit to how far down a GPO applies. I
don’t think so, but it would be the only thing that explained this.

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=748109

More about : limit gpo inherit

Anonymous
January 3, 2005 6:01:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"KevinW" wrote:
> Odd question I know, but I just can't figure out why this
> isn't working. I am trying to build a GPO to configure
> clients to my WUS server. At the root of the domain I have a
> the GPO created, it looks like this:
> domainroot"POL Windows Update"
>
> Now the computer object sits down a couple OU's:
> domainrootdepartmentstestcomputers"iss-2k04"
>

>
> For whatever reason (and there are no inheritance blocks
> anywhere down the chain), the GPO that sits at the domainroot
> will not apply to the computer object. Howver, if I create
> the GPO in the "test" OU in that path listed above, it applies
> just fine to the computer. The GPO management console lists
> the GPO in the root as inhertited in that computers OU, but
> like I said it doesn't apply.
>
> I wasn't sure if there was a limit to how far down a GPO
> applies. I don't think so, but it would be the only thing
> that explained this.

Hi,

There is no "limit" to how far down a GPO applies. I have about 20
sublevels. Check to see if the other policies are applying. I would
have guessed about the block policy inheritance. Have you checked ALL
your DC’s. Maybe one has a block and it hasn’t replicated but it is
the one doing the authenticating.

Also, make sure the DNS is working properly. It may have nothing to do
with your situation, but DNS is usually the culprit when GP’s don’t
apply. http://www.sd61.bc.ca/windows2000/dns.htm

I wouldn’t put the Updates at the Default Domain Level anyway because
then it will affect the servers. You Don’t want the servers rebooting
themselves with updates automatically.

Just a quick note. You mentioned WUS? Do you mean SUS? WUS is still in
beta form and not ready for regular deployment.
http://www.microsoft.com/windowsserversystem/wus/trial.... That may
be the problem if you are using a Beta program.
Cheers,

Lara

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=748207
Anonymous
January 3, 2005 6:07:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ensure that "iss-2k04" belongs to a group that has "read" and "apply group
policy" permissions set on the "..\test\computers" OU (Group Policy >
Properties > Security). Otherwise, "authenticated users" would already
include it (yes that covers also machines).

Check the sequence of GPOs listed at "..\test\computers" as well. The order
of application is Local GP > Site > Domain > OU > sub-OU > sub-sub-OU, etc.,
and the one appearing at the top most (of the GPO list) will take precedence.

Run through and see if any GPO further up the chain has "No override" turned
on.

Hope this helps.

"KevinW" wrote:

> Odd question I know, but I just can’t figure out why this isn’t
> working. I am trying to build a GPO to configure clients to my WUS
> server. At the root of the domain I have a the GPO created, it looks
> like this:
> "domainroot\"POL Windows Update"
>
> Now the computer object sits down a couple OU’s:
> "domainroot\departments\test\computers\"iss-2k04"
>
> For whatever reason (and there are no inheritance blocks anywhere down
> the chain), the GPO that sits at the domainroot will not apply to the
> computer object. Howver, if I create the GPO in the "test" OU in
> that path listed above, it applies just fine to the computer. The GPO
> management console lists the GPO in the root as inhertited in that
> computers OU, but like I said it doesn’t apply.
>
> I wasn’t sure if there was a limit to how far down a GPO applies. I
> don’t think so, but it would be the only thing that explained this.
>
> --
> Posted using the http://www.WindowsForumz.com/ interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=748109
>
!