Hey, a few basic GP Q's (win2k3 standard) if I may:

**ARIKV** · 03-27-2005, 09:49 AM

I'm studing toward mcse and made several DC's (child domain, diff domain, cross-forest) using 2 win2k3 servers, a few things got me unprepered:

1. after promoting DC I can access GP's and modify settings but once assigning trust relationships they're gone, keep getting "the domain controller for...." and then I need to choose from: "the one with the Operations master" etc and then get: "failed to open group policy object. you may not have appropriate rights" and then they're grayed-out, could find anything that fixed it through google.
I'm connected using the admin username.
P.s.
I can use gpedit.msc without any problem.

<UPDATE: just solved the first one, had to enable file and printers sharing for all my NIc's>

2. Is it only me or modifing Computer GP (gpedit) in a DC effects the entire domain?

3. can someone please explain to me what settings should be defined in the "domain controller OU" and what on the "Domain" GP's?

Thanks alot in advance, Arik

**Stock** · 03-28-2005, 09:42 AM

Group Policy Objects only affect the computer and user accounts under the objects to which you have linked them. In other words...if you link a GPO to the Domain Controllers OU or modify the default domain controller policy, it will only effect the objects in that OU (Your domain controllers). If you create a GPO and link it to the domain or edit the default domain policy, then you will be effecting all user and computer objects in the domain. So the effects of creating or modifying policies of the Default domain controller OU will only effect your DC's. Modifying or Creating policies at the domain level will effect all users and computers in the domain. If you are studying for exams then I would suggest creating OU's and populating them with computer and user accounts and trying different policies.

**chrisp** · 03-28-2005, 10:17 AM

In regards to #3.

You generally should not edit the Default domain and Default domain controller policies. These are the default out of the box settings that should not be changed unless you have a well defined reason for doing so. Create new policies for your settings outside of these default GPOs, and link them to the domain or DC OU level. Then modify the order of precendence depending on your needs and policy setting collisions. (same settings in different policies, the higher in the list will win)

If your question is "What are the settings in these policies?" You might want to install the GPMC, and use the "settings tab" to get a nice view of what is in these policies. You can also right click the policy and choose 'save report'. This will give you html reports of the policy settings for your reference.

GPMC with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

-cp

**ARIKV** · 03-29-2005, 12:48 AM

Originally Posted by chrisp

In regards to #3.

You generally should not edit the Default domain and Default domain controller policies. These are the default out of the box settings that should not be changed unless you have a well defined reason for doing so. Create new policies for your settings outside of these default GPOs, and link them to the domain or DC OU level. Then modify the order of precendence depending on your needs and policy setting collisions. (same settings in different policies, the higher in the list will win)

If your question is "What are the settings in these policies?" You might want to install the GPMC, and use the "settings tab" to get a nice view of what is in these policies. You can also right click the policy and choose 'save report'. This will give you html reports of the policy settings for your reference.

GPMC with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

-cp

because I first wanna control the default GP mmc(s) because it's the interface I got tested on 70-290 (and unfortunately will be again)

**ARIKV** · 03-29-2005, 12:51 AM

Originally Posted by Stock

Group Policy Objects only affect the computer and user accounts under the objects to which you have linked them. In other words...if you link a GPO to the Domain Controllers OU or modify the default domain controller policy, it will only effect the objects in that OU (Your domain controllers). If you create a GPO and link it to the domain or edit the default domain policy, then you will be effecting all user and computer objects in the domain. So the effects of creating or modifying policies of the Default domain controller OU will only effect your DC's. Modifying or Creating policies at the domain level will effect all users and computers in the domain. If you are studying for exams then I would suggest creating OU's and populating them with computer and user accounts and trying different policies.

those questions, like when I audited "object access" in the DC and DOMAIN levels and gpupdate/force them still by RDP to the same computer got nothing (maybe I had to reboot them but that takes like forever so I got lazy because I wanna retake asap before I forget stuff)

Thread: Hey, a few basic GP Q's (win2k3 standard) if I may:

LinkBack

Thread Tools

Search Thread

Display

Posting Permissions