Default Domain Policy Overriding Custom GPO even though Custom GPO is Enforced

windows-server-2008 windows-server-2003 group-policy security
12,787

Solution 1

The trick was to "Block Inheritance" on the immediate parent OU for the child OU in question.

  • Right-click the parent ou of the ou you want to apply your custom GPO to, then click "block inheritance"
  • Apply your custom GPO to the child OU beneath the parent OU you just blocked inheritance on
  • From (domain controller) CMD prompt, type: gpupdate/force
  • Run GPO Modeling to confirm custom GPO settings are being applied

This worked for us. The only caveat is to remember that when you block inheritance on an OU, you prevent all GPO's above that OU from propogating their settings via inheritance, which means if you are relying on a GPO higher up in the schema for settings, you need to confirm they are still being applied to child OU's beneath the OU you've blocked inheritance on, as you may need to replicate these settings on the custom GPO you applied to the child OU.

Solution 2

The priority is based off of what position the GPO is in the list.

What you can try doing is selecting the custom group policy object that you created and move it ABOVE the default domain policy. This will make sure that your custom policy takes precedence and wont be overridden by the default domain policy.

Share:
12,787

Related videos on Youtube

I.T. Support
Author by

I.T. Support

Updated on September 17, 2022

Comments

  • I.T. Support
    I.T. Support over 1 year

    I'm trying to apply a custom GPO to an OU with a specific account in it. Even though I enforce the GPO, the default domain policy is still overriding my custom GPO and settings are not being applied to the account.

    Questions:

    1. Is the Default Domain Policy not subject to Enforcement?
    2. How do I get a custom GPO to override the default domain policy?
    • Jason Berg
      Jason Berg over 13 years
      What's in the custom policy? Password policies?
  • byachna
    byachna over 13 years
    Yup! You want to link it to the domain. When you link it to the domain, I believe you can chose which accounts the policy is enforced on.
  • I.T. Support
    I.T. Support over 13 years
    So if I only enforce the GPO on a specific account, then link that GPO to the domain, will the GPO override settings defined in the default domain policy that apply to 'authenticated users'? My concern is that applying the custom GPO to the domain will cause accounts not defined in my custom GPO that rely on the default domain policy for permissions to lose those permissions...
  • I.T. Support
    I.T. Support over 13 years
    So I applied the recommended configuration, and my GP modeling results show the default domain policy as the winning GPO, and none of the permissions defined in the custom OU for the user are being applied. What am I missing here?
  • byachna
    byachna over 13 years
    Actually, your policy settings might be fine. It may just require a refresh on the machine(s) that your logging in from. Try logging into the account in question and run "gpupdate". The syntax and use is listed here: technet.microsoft.com/en-us/library/cc739112(WS.10).aspx
  • I.T. Support
    I.T. Support over 13 years
    I employed gpupdate during the original test, still no luck. Curious, where do I find the TAB for group policy? Are you using the Group Policy Management MMC Snap In? I just have a tree view list on the left side of the MMC and details on the right...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows 7 Cached Credentials - No Logon Server. Can't Log In
Deleting Temporary Internet Files through Group Policy
How to set group policy in windows server 2008 domain?
Can I disable sticky keys through a Group Policy for all users?
Domain User can RDP into Domain Controller?
ntrights equivalent/replacement for Server 2008
How to display last login time when logging into a Windows server?
How to have downloads be automatically unblocked?
How can I remove my users from local admin rights with a GPO?
Users on windows 2008 R2 server cannot change own password