HPE Community
Windows Server 2003
1823718 Members
3817 Online
109664 Solutions
New Discussion юеВ

Group Policy in AD

 
Wayne Whittle
Advisor

тАО09-23-2004 01:46 AM

тАО09-23-2004 01:46 AM

Group Policy in AD

We have one 2003/AD domain across four sites with four OUs representing each site. In terms of Group Policy we have one overall GPO for the domain (with very general settings) and one for each OU (with more specific settings relating to each OU). I noticed that we also had a default Domain Controllers GPO as well. In addition all the XP workstations have local policies.

Is it the case that GPOs are applied first locally then at Site, Domain, OU and finally sub OU level and that policies lower down in the chain will be effective even if they have been set higher up in the hierarchy (unless Block Inheritance is turned on or No Overide is set) ? Where or when is the Default Domain Controller GPO applied in all this ?

Secondly I am trying to log a new workstation onto the new domain but I keep getting the message Local Policy of this system does not permit you to log on interactively - I can only seem to log onto the domain as an administrator (or member of the administrators group). Which GPO setting do I configure so anyone from this domain can logon on this workstation
0 Kudos
3 REPLIES 3
Mason Powell, Jr.
Occasional Advisor

тАО11-23-2004 07:48 AM

тАО11-23-2004 07:48 AM

Re: Group Policy in AD

Hi Wayne,

GPOs do indeed apply in that order, first locally, then by site, domain, OU< sub OU. A policy remains constant until a setting higher in the chain takes over. For example, if you enable the "Add Logoff to the Start Menu" policy on the local machine, it will apply until a higher policy changes it. If no higher GPO sets that policy, then the Logoff button is added to the Start Menu. If, however, the OU policy disables this setting, the Log off button will never appear on the start menu as the OU policy takes priority over the local policy.

The error you are getting on the workstation . . . are you trying to remotely access the machine? If so, you will need to add your username/security group to the Remote Desktop users group (using "Everyone" will allow anyone to log onto that machine).

I hope this is of help,
Mason
0 Kudos
Wayne Whittle
Advisor

тАО11-24-2004 08:05 PM

тАО11-24-2004 08:05 PM

Re: Group Policy in AD

Thanks Mason but I've managed to get to the bottom of this now. The problem was in my Group Policy setting at Computer Configuration - Windows Setting - Security Settings - Local Policies - User Rights Assignment - Allow Logon Locally. If you don't add the users or domain users group to this then they cannot logon interactively (onto the domain).
0 Kudos
Wayne Whittle
Advisor

тАО11-24-2004 08:06 PM

тАО11-24-2004 08:06 PM

Re: Group Policy in AD

As in my reply above I have since found a solution to the problem and was unaware I left the thread open. Sorry!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.