Deny policy not working

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Start off by saying I've searched this forum and not found a thread with a
solution that's either worked or I'd not yet tried already, so...

I'd like our W2K DC and an XPPro PC to not inherit Defauly Domain Policy.
Here's what I've tried (refreshing with each try) but obviously didnt work:

-Made sure Default Domain Policy does not have No Override checked
-Block Policy Inheritance box checked at their OUs
-In Security tab of Default Domain Policy, added the DC and XP box, and set
their Apply Group Policy to Deny
-For the DC, also tried editing Default DC Policy
-Even created a GPO for their OUs with No Override set (even though shouldnt
work anyway since No Override only applies to 'lower' objects, right?)

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Which policy settings in the domain-linked GPO are you seeing
as not being blocked? Or, are you seeing this behavior no matter
what policy setting. The reason that I ask is that some settings,
Account policy settings in particular, are handled uniquely, and
if set in a domain-linked policy will be effective even for machines
to which that GPO is set to not be applied.
You may find that restructuring where policies are set is more
effective than trying to use inheritance blocking and security group
filtering, or perhaps I should have said less messy or more clear
rather than more effective.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"mikeindo" <mikeindo@discussions.microsoft.com> wrote in message
news:7431772E-8505-40D7-910B-DD77CA832F90@microsoft.com...
> Start off by saying I've searched this forum and not found a thread with a
> solution that's either worked or I'd not yet tried already, so...
>
> I'd like our W2K DC and an XPPro PC to not inherit Defauly Domain Policy.
> Here's what I've tried (refreshing with each try) but obviously didnt
work:
>
> -Made sure Default Domain Policy does not have No Override checked
> -Block Policy Inheritance box checked at their OUs
> -In Security tab of Default Domain Policy, added the DC and XP box, and
set
> their Apply Group Policy to Deny
> -For the DC, also tried editing Default DC Policy
> -Even created a GPO for their OUs with No Override set (even though
shouldnt
> work anyway since No Override only applies to 'lower' objects, right?)

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

specifically, it's the screensaver settings. i've set the default domain
setting for 30 minutes, but would like to manually set the (physically
secure) DC to not have one at all and manually set my XP PC to 5 minutes.
so, as i stated above, essentially i'm trying to set 2 computers to deny
Apply Group Policy. fyi, denying "Apply Group Policy' worked in an OU's
policy for my (domain admin) user account. in other words, all PCs in that
OU allow me to log in with no GPO settings applied.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

eventually just said "screw it" and removed Default policy settings that
bugged me, created a new OU containing all other PCs (excluding DC and my XP
PC), and created a GPO for that OU with the settings i needed...

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

>eventually just said "screw it" and removed Default policy settings
>that bugged me, created a new OU containing all other PCs (excluding
>DC and my XP PC), and created a GPO for that OU with the settings i
>needed...

Hi,

This is the recommended way to setup Group Policy anyway. I always
create "Upper Level" Ou’s for users and computers for all settings.
I rarely put anything in the Default Domain Policy.

Did it work?

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Deny-working-ftopict369421.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1204854

Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com