The GPMC shows you what GPOs a given container inherits, and in what order they are applied. So unless you have Block Inheritance enabled on your GPTEST OU, you'll still see the Default Domain GPO is inherited even though it's not linked there (you just had to know this before the GPMC). Settings defined in a GPO you link to the GPTEST OU will override ones which are defined in the Default Domain GPO. This way you can leave the Default Domain GPO alone (and not affect all computers in the domain), and apply the settings you need to the new OU only.
Does that make sense? Rich -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 11:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD I installed group policy management console and looked at the linking a GP to the new OU (GPTEST). Under the inheritance tab the default domain policy is inherited. Still a little lost .. thanks -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 9:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incorrect rights in 2 003 AD Guido wrote: *** 2003 even allows you to change the Default Computers container into a normal OU which allows you to set GPOs etc. - but I preferr using a different OU and keeping the default configured as is. *** This sounds like good advice to me. I'm sure there are 3rd party products out there that expect to see CN=Users in the structure. Not sure how they'll cope if it isn't present. Tony ---------- Original Message ---------------------------------- Wrom: GPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJM Reply-To: [EMAIL PROTECTED] Date: Mon, 8 Dec 2003 15:32:22 +0100 instead of correcting the security on each one of them, you may want to create a new OU for the machines and set the security for the computer accounts via inheritance on the OU. 2003 even allows you to change the Default Computers container into a normal OU which allows you to set GPOs etc. - but I preferr using a different OU and keeping the default configured as is. /Guido -----Original Message----- Wrom: VRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFS Sent: Samstag, 6. Dezember 2003 07:12 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrated NT4 domain member's computers have incor rect rights in 2 003 AD Problem is I have about 70 PCs who need this. I would rather not rejoin the domain on all of them. Looks like can be solved by changing rights in AD users and computers Why do I have to remain in mixed mode? The desktops are 2000 or XP. Thanks for your reply -----Original Message----- Wrom: QHYUCDDJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDX Sent: Friday, December 05, 2003 5:19 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Migrated NT4 domain member's computers have incorrect rights in 2 003 AD I unjoined and re-joined mine to the domain, this will work as long as you are running mixed mode, Or keep one nt4 dc around ----- Original Message ----- Wrom: RQBGJSNBOHMKHJYFMYX To: <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 10:53 AM Subject: [ActiveDir] Migrated NT4 domain member's computers have incorrect rights in 2 003 AD > Hi All, > > I did an in place upgrade from NT 4 -> 2003 AD > > The computers already part of the NT4 domain, get event 5788 and 5789 logon > errors in their system event logs. (though they are able to logon) > > Upon closer examination, newly joined computers to the domain have different > security rights when viewed in AD users and computers (advanced view). > Specifically, Authenticated users has 'read' checked and there is the > existence of the system group with full control security (on newly > joined clients to domain (2000 and XP) whereas the system group is not > listed in previous domain members. If I manually change the rights, > the errors stop (and the fully qualified computer name appears in the > general tab whereas it > is blank on pre-existing domain members) > > Is there any way to change all these security rights on the computers > that were part of the NT4 domain when upgraded via a script or other > method than > manually changing each computer's rights? > > Thanks -- BTW this maillist is a life saver! > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
