Limit to how far down a GPO will inherit?

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Odd question I know, but I just can’t figure out why this isn’t
working. I am trying to build a GPO to configure clients to my WUS
server. At the root of the domain I have a the GPO created, it looks
like this:
"domainroot\"POL Windows Update"

Now the computer object sits down a couple OU’s:
"domainroot\departments\test\computers\"iss-2k04"

For whatever reason (and there are no inheritance blocks anywhere down
the chain), the GPO that sits at the domainroot will not apply to the
computer object. Howver, if I create the GPO in the "test" OU in
that path listed above, it applies just fine to the computer. The GPO
management console lists the GPO in the root as inhertited in that
computers OU, but like I said it doesn’t apply.

I wasn’t sure if there was a limit to how far down a GPO applies. I
don’t think so, but it would be the only thing that explained this.

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO-inherit-ftopict245271.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=748109
2 answers Last reply
More about limit inherit
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "KevinW" wrote:
    > Odd question I know, but I just can't figure out why this
    > isn't working. I am trying to build a GPO to configure
    > clients to my WUS server. At the root of the domain I have a
    > the GPO created, it looks like this:
    > domainroot"POL Windows Update"
    >
    > Now the computer object sits down a couple OU's:
    > domainrootdepartmentstestcomputers"iss-2k04"
    >

    >
    > For whatever reason (and there are no inheritance blocks
    > anywhere down the chain), the GPO that sits at the domainroot
    > will not apply to the computer object. Howver, if I create
    > the GPO in the "test" OU in that path listed above, it applies
    > just fine to the computer. The GPO management console lists
    > the GPO in the root as inhertited in that computers OU, but
    > like I said it doesn't apply.
    >
    > I wasn't sure if there was a limit to how far down a GPO
    > applies. I don't think so, but it would be the only thing
    > that explained this.

    Hi,

    There is no "limit" to how far down a GPO applies. I have about 20
    sublevels. Check to see if the other policies are applying. I would
    have guessed about the block policy inheritance. Have you checked ALL
    your DC’s. Maybe one has a block and it hasn’t replicated but it is
    the one doing the authenticating.

    Also, make sure the DNS is working properly. It may have nothing to do
    with your situation, but DNS is usually the culprit when GP’s don’t
    apply. http://www.sd61.bc.ca/windows2000/dns.htm

    I wouldn’t put the Updates at the Default Domain Level anyway because
    then it will affect the servers. You Don’t want the servers rebooting
    themselves with updates automatically.

    Just a quick note. You mentioned WUS? Do you mean SUS? WUS is still in
    beta form and not ready for regular deployment.
    http://www.microsoft.com/windowsserversystem/wus/trial.mspx That may
    be the problem if you are using a Beta program.
    Cheers,

    Lara

    --
    Posted using the http://www.WindowsForumz.com/ interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO-inherit-ftopict245271.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=748207
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ensure that "iss-2k04" belongs to a group that has "read" and "apply group
    policy" permissions set on the "..\test\computers" OU (Group Policy >
    Properties > Security). Otherwise, "authenticated users" would already
    include it (yes that covers also machines).

    Check the sequence of GPOs listed at "..\test\computers" as well. The order
    of application is Local GP > Site > Domain > OU > sub-OU > sub-sub-OU, etc.,
    and the one appearing at the top most (of the GPO list) will take precedence.

    Run through and see if any GPO further up the chain has "No override" turned
    on.

    Hope this helps.

    "KevinW" wrote:

    > Odd question I know, but I just can’t figure out why this isn’t
    > working. I am trying to build a GPO to configure clients to my WUS
    > server. At the root of the domain I have a the GPO created, it looks
    > like this:
    > "domainroot\"POL Windows Update"
    >
    > Now the computer object sits down a couple OU’s:
    > "domainroot\departments\test\computers\"iss-2k04"
    >
    > For whatever reason (and there are no inheritance blocks anywhere down
    > the chain), the GPO that sits at the domainroot will not apply to the
    > computer object. Howver, if I create the GPO in the "test" OU in
    > that path listed above, it applies just fine to the computer. The GPO
    > management console lists the GPO in the root as inhertited in that
    > computers OU, but like I said it doesn’t apply.
    >
    > I wasn’t sure if there was a limit to how far down a GPO applies. I
    > don’t think so, but it would be the only thing that explained this.
    >
    > --
    > Posted using the http://www.WindowsForumz.com/ interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.WindowsForumz.com/Active-Directory-Limit-GPO-inherit-ftopict245271.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=748109
    >
Ask a new question

Read More

Active Directory Windows