Skip to main content

Removing Computers from an OU

16 years 7 months ago #23408 by skepticals
I know I have asked this question in a round about way before, but I am still unsure of the best answer.

We have a group of computers that all share the same username and OU. I have several restrictive GPOs set on the OU.

Problem: I need to work on a specific computer in the OU without the restrictive GPO settings applied; however, I cannot simply disable the linked GPO to the OU because I need it to apply to the rest of the computers. The GPO contains both user and computer settings.

Today I removed one of the computers out of my custom OU and placed it into Computers - without any GPOs applied. The computer still was restricted by the previous GPOs! I did a gpupdate /force along with several reboots. I still logged into the computers with the previous username, but the computer is no longer in the restricted OU.

Any ideas why the settings stayed or a better solution?
16 years 7 months ago #23409 by KiLLaBeE
I've noticed situations where the change doesn't replicate to the GPO-applied (or non-applied) computer.

Try disabling the caching of credentials on the computer's Computer Configuration of the computer's Group Policy Editor. This will force the computer to retrieve new, updated settings from AD rather than using the stored one.

The setting is named "Number of previous logons to cache" or something like that.

The situation I had was that the workstation was choosing to use the cached credentials rather than pulling from AD because using the cached was faster......that could be the issue you're having.

I do find it kinda strange that even after several reboots and gpupdate /force that the computer still pulls the old one......but test what I suggested above and let us know.

16 years 7 months ago #23414 by NewandImprovedElvis
This may be a stupid question, but are there any policies being applied to the user? if so it may be these you are seeing, rather than the computer policies.

Also computers in the computers group will still pick up policies set at the domain and forest levels, so you may need to block inheritance.
16 years 7 months ago #23415 by skepticals

There are policies applied to the user, but only in the OU from which I removed the computer. If there are no policies applied to an OU, it should'nt still effect the user, correct?
16 years 7 months ago #23416 by NewandImprovedElvis
Well policies are spilt into 2 bits - Computer Policys and User Policies

Computer Policies are applied to all computers in an OU, thus by moving the Computer to an empty OU you have prevented these from applying

User Policies are applied to all users in an OU - So if the User is still in the original OU the User section of the policy will still apply

Users from one OU can log onto Computers in another OU and will pick up the relevant policy from the relevant areas - i.e. the User policy from their OU and the Computer Policy from the Computers OU.
16 years 7 months ago #23418 by Smurf
Also, (only pulls this from vague memorys from a long time ago), if the Not Configured option is set, does it not keep its previous setting ?

Wayne Murphy Team Member

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit or PM me for details.
Time to create page: 0.142 seconds