Default policy applying instead of OU policy

  • Thread starter Thread starter Jon Gutiérrez
  • Start date Start date
J

Jon Gutiérrez

Hi,

I have a Windows 2000 network with XP machines. THe XP users logon to
the domain (I have only one domain) with a domain account. They are
all configured as administrator in Control panel > User Accounts in
the local XP machines. They are divided into 2 different user OUs: 1
for stadard users (OU1), 1 for advanced users (OU2).

My problem:

I would like to implement a policy over OU1 to remove the Start
button.

I have created a policy in OU1 but if I go to the local machines the
policy does not seem to take effect. I have run the gpresult command
on the local machines and I can see that the only policy being applied
is the Default Domain policy.

I have tried changing the Options to No override, setting the Block
inheritance and adding the group of user to the policy (giving them
the Read and Apply group Policy rights). Nevertheless, this setting do
not seem to make any changes to the final result: the only policy in
effect is the Default Domain Policy.

If, instead of implementing the policy on the OU I change the same
option in the Default Domain Policy, then the policy is applied to the
XP machines.

What am I doing wrong? How can I force my policy to be applied instead
of the Default Domain Policy?

Thank you and please excuse me if the question is too simple or
unclear.

Jon
 
Are the user accounts in the OU? They need to be in order for the policy to
apply. . --- Steve
 
Inside the OU I have a domain global group. Inside this group I have
the user account.

I have tried changing the group to domain local (just in case..) and
including inside the user accounts, but this does not seems to make
any difference.

Do I need to move the user accounts outside the global or local groups
in order for the policy to take effect? This does not seem very
logical to me and it seems to complicate the policy asigments.

Thank in advance for your replies,

Jon
 
The actual user accounts need to be in the OU which can easily be done by
moving them. It does not matter where the groups are. The groups can be used
to "filter" who a policy applies to however by using read and apply
permissions in the security page of the GPO. --- Steve
 
Thank you very much Steve.

I tried moving the users outside the group, and everything went fine.
Now the policy is applied without problems.

From all this, I must conclude then that in Windows 2000, Group
policies cannot be applied to groups (???), but to Domains, Sites,
OUs, and Users. I do not quite understand why the groups are left
outside of policies, but at least now I understand the reason of my
problem.

Thanks again,

Jon
 
Back
Top