GPO Processing

[rooky]

Hello,

I am New to Windows 2003 server based Active Directory and Group Policy management.
I am encountering the following problem;

In our AD domain exists a OU called Policies.
When i open GPMC to view the active GPO´s i can see that they are first linked to that specific Policies OU and to other levels in AD, is this necesarry for GPO´s and links to function properly?
It seems when i link a GPO from the Group Policy Objects Container to a level in AD within the GPMC, that the GPO is not processed on the client when i also link it to the Policies OU it works??
Can somebody explain the above situation so that it becomes more clear, i can not find related topics

[chrisp]

GPOs linked to an OU will be inherited by child OUs. If the policy is linked at a parent level but does not apply, check to see if the OU Policies is marked "Block Policy inheritance"

Block policy inheritance
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/4e1b0b2b-6e88-4c7d-a848-f20f3b18660b.mspx

When the policy is not linked to the Policies OU, you can take a gpresult /v and examine the output.

You may seen an entry about policies not applied, and a corresponding reason. Usually it says "Unknown reason". A quick test on a virtual machine throws "Unknown reason" when we block policy inheritance.


-cp

[kevsully]

I have a few questions for you. Is the 'policies' OU populated with anything? or is just sitting there with GPOs linked to it? Where are the users and computers and like chrisp points out, could this be an inheritance issue of some sort?

pre-GPMC it was common (well sort of) to create an empty OU and have that as the location for all GPOs to be 'created'. Without a Group Policy centric view of the enterprise that was one way I saw folks put in place to stay organized. But now that we know Group Policy better there is no reason to link a GPO to any container other that the target.

Jeremy points out one of the questionable wording issues found in the GPMC. When you right click on an OU and choose new... it says "Create and Link a Group Policy Object here?" or something like that. It makes it appear that the GPO is being created on that target OU which is not the case.

Anyway, run some RSoP reports, look at the contents of the different OUs, in GPMC look at the inheritance tab and look at the links on the GPOs. You will track it down.

GL

[rooky]

"pre-GPMC it was common (well sort of) to create an empty OU and have that as the location for all GPOs to be 'created'. Without a Group Policy centric view of the enterprise that was one way I saw folks put in place to stay organized. But now that we know Group Policy better there is no reason to link a GPO to any container other that the target"

Thanks Kesvully and Chrisp

I think it is the resolution as described above, their is no block inheritance set on the OU.
I can not think of another reason why the OU is placed in active Directory and why almost all GPO´s are linked to it.
The OU itself is not used to store accounts or computers it just sits their with only the GPO links.
So "old School" way,,, yes i think so.
Im going to test a new GPO by linkin it to the OU level i specified in AD.
Previous tests resulted in "a not applied"( the GPO was not applied) but when i linked the GPO to the Policies OU and logged on to the client in the gpresult i could see the GPO being applied so that is the part i can not figure out (excuse my bad english)
I will get back on this topic after i tested.
For now thanks!!

[kevsully]

Let us know if it works!

[rooky]

Hi Kevsully and Chrisp

Well it seems to work in the way of linking a GPO directly from the Group Policy Objects Container to any level in active Directory
So not linking them to the Policies OU wil not affect functionality of the GPO.
It is still a strange manor sinds a 2003 MCSE build the AD structuur and thus the Policies OU, for What? only to view GPO´s the old school way?
Well meanwhile i learned a lot about RSoP and testing GPO´s and they all apply without linking them to the Policies OU so nothing to be concerned about

thanks for all the help, this forum helps out in a great way so i think i will post a lot of questions here....

[kevsully]

Great news rookie...

The Group Policies container is not 'technically' an OU. It is a container visible in GPMC so that you can see all GPOs stored together, without any necessary linking. This is actually a good thing. I can see the confusions but once you get used to the little 'quirks' with GP you will be psyched. There is a lof great stuff in there.

Kevin

[rooky]

Yep i know that the Group policy Objects Container is not a OU.
But GPO terminlogy and AD can be confusing sometimes.
But with a little help and a little tryout it wil pay off eventually

Thanks

I´ve got a lot more questions but i need to be in other sections of this forum so thanks for this one !! :wink: