Mike- Yea, the local policy gets over-written by the DC policy because the local policy processes first in the pecking order, then site, domain and OU linked GPOs. What you could do is create a second GPO with your policy change, linked to the DC OU but with a higher processing order (i.e. it processes after the DDC Policy). Then, set permissions on that new GPO such that the DC in question is the only machine that has Read and Apply GPO rights to it. You'll have to remove the default Authentiated Users ACE as well.
Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, March 24, 2004 11:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers Related question: Because of some testing we are doing in a production environment (yes, I know - ahem, ah try a test environment; can't in this situation), we would like to override the policy "Microsoft Network Server - digitally sign communications (always)" that is set in the Default Domain Controllers policy by using the local Domain Controller policy on a particular DC. But it appears not to be "overrideable". Is this the expected behavior? If so, how could we accomplish this? TIA! Mike Thommes -----Original Message----- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers Agreed. Not much downside to this as long as you're not putting policies on these other GPOs that conflict with any set in the DDC policy. Even in that case, you just have to manage the conflicts. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Wednesday, March 24, 2004 9:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers It's common practice to add other GPO links to the DC OU. -----Original Message----- From: Devan Pala [mailto:[EMAIL PROTECTED] Sent: 24 March 2004 15:44 To: [EMAIL PROTECTED] Subject: [ActiveDir] Linking other GPO objects to Domain Controllers Hi all, Question: Has anyone experienced issues or know of any 'gotchas' with linking other GPO objects to the Domain Controllers OU in addition to the Default Domain Controllers Policy. Rationale: I would like to have a GPO ready that essentially has Windows Update enabled for deploying approved updates from a central SUS server. When an update is available, tested and if required, the GPO is linked to the Domain Controllers OU and available for install depending on each DC's detection cycle and configured parameters. Why not modify the Default Domain Controllers Policy? At least this way, I will have complete control of when updates are pushed and importantly, if I would like to retract the updates unlinking this 'other' GPO is easier and I believe safer than changing configuration settings on the Default Domain Controllers Policy. Another nice feature would be that the by unlinking this policy the update would also be removed from the Windows Update folder on each client (the DC). Your thoughts, suggestions and comments are as always, appreciated. Thanks, Devan. _________________________________________________________________ Find a broadband plan that fits. Great local deals on high-speed Internet access. https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
