Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Removing Computers from an OU

Removing Computers from an OU 9 years 1 month ago #23408

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
I know I have asked this question in a round about way before, but I am still unsure of the best answer.

We have a group of computers that all share the same username and OU. I have several restrictive GPOs set on the OU.

Problem: I need to work on a specific computer in the OU without the restrictive GPO settings applied; however, I cannot simply disable the linked GPO to the OU because I need it to apply to the rest of the computers. The GPO contains both user and computer settings.

Today I removed one of the computers out of my custom OU and placed it into Computers - without any GPOs applied. The computer still was restricted by the previous GPOs! I did a gpupdate /force along with several reboots. I still logged into the computers with the previous username, but the computer is no longer in the restricted OU.

Any ideas why the settings stayed or a better solution?
The administrator has disabled public write access.

Re: Removing Computers from an OU 9 years 1 month ago #23409

  • KiLLaBeE
  • KiLLaBeE's Avatar
  • Offline
  • Expert Member
  • Posts: 466
  • Karma: 0
I've noticed situations where the change doesn't replicate to the GPO-applied (or non-applied) computer.

Try disabling the caching of credentials on the computer's Computer Configuration of the computer's Group Policy Editor. This will force the computer to retrieve new, updated settings from AD rather than using the stored one.

The setting is named "Number of previous logons to cache" or something like that.

The situation I had was that the workstation was choosing to use the cached credentials rather than pulling from AD because using the cached was faster......that could be the issue you're having.

I do find it kinda strange that even after several reboots and gpupdate /force that the computer still pulls the old one......but test what I suggested above and let us know.

K
The administrator has disabled public write access.

Re: Removing Computers from an OU 9 years 1 month ago #23414

This may be a stupid question, but are there any policies being applied to the user? if so it may be these you are seeing, rather than the computer policies.

Also computers in the computers group will still pick up policies set at the domain and forest levels, so you may need to block inheritance.
The administrator has disabled public write access.

Re: Removing Computers from an OU 9 years 1 month ago #23415

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
NewandImprovedElvis,

There are policies applied to the user, but only in the OU from which I removed the computer. If there are no policies applied to an OU, it should'nt still effect the user, correct?
The administrator has disabled public write access.

Re: Removing Computers from an OU 9 years 1 month ago #23416

Well policies are spilt into 2 bits - Computer Policys and User Policies

Computer Policies are applied to all computers in an OU, thus by moving the Computer to an empty OU you have prevented these from applying

User Policies are applied to all users in an OU - So if the User is still in the original OU the User section of the policy will still apply

Users from one OU can log onto Computers in another OU and will pick up the relevant policy from the relevant areas - i.e. the User policy from their OU and the Computer Policy from the Computers OU.
The administrator has disabled public write access.

Re: Removing Computers from an OU 9 years 1 month ago #23418

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Also, (only pulls this from vague memorys from a long time ago), if the Not Configured option is set, does it not keep its previous setting ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.086 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup