Deny policy not working

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Start off by saying I've searched this forum and not found a thread with a
solution that's either worked or I'd not yet tried already, so...

I'd like our W2K DC and an XPPro PC to not inherit Defauly Domain Policy.
Here's what I've tried (refreshing with each try) but obviously didnt work:

-Made sure Default Domain Policy does not have No Override checked
-Block Policy Inheritance box checked at their OUs
-In Security tab of Default Domain Policy, added the DC and XP box, and set
their Apply Group Policy to Deny
-For the DC, also tried editing Default DC Policy
-Even created a GPO for their OUs with No Override set (even though shouldnt
work anyway since No Override only applies to 'lower' objects, right?)
 
Which policy settings in the domain-linked GPO are you seeing
as not being blocked? Or, are you seeing this behavior no matter
what policy setting. The reason that I ask is that some settings,
Account policy settings in particular, are handled uniquely, and
if set in a domain-linked policy will be effective even for machines
to which that GPO is set to not be applied.
You may find that restructuring where policies are set is more
effective than trying to use inheritance blocking and security group
filtering, or perhaps I should have said less messy or more clear
rather than more effective.
 
specifically, it's the screensaver settings. i've set the default domain
setting for 30 minutes, but would like to manually set the (physically
secure) DC to not have one at all and manually set my XP PC to 5 minutes.
so, as i stated above, essentially i'm trying to set 2 computers to deny
Apply Group Policy. fyi, denying "Apply Group Policy' worked in an OU's
policy for my (domain admin) user account. in other words, all PCs in that
OU allow me to log in with no GPO settings applied.
 
eventually just said "screw it" and removed Default policy settings that
bugged me, created a new OU containing all other PCs (excluding DC and my XP
PC), and created a GPO for that OU with the settings i needed...
 
eventually just said "screw it" and removed Default policy settings
that bugged me, created a new OU containing all other PCs (excluding
DC and my XP PC), and created a GPO for that OU with the settings i
needed...
Click to expand...

Hi,

This is the recommended way to setup Group Policy anyway. I always
create "Upper Level" Ou’s for users and computers for all settings.
I rarely put anything in the Default Domain Policy.

Did it work?

Cheers,

Lara
 
Back
Top