Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 8267 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to apply policies to all sub-groups?

faygate

Been wondering for weeks why my client computers haven't been picking up my policies and it turns out that even if you set the policy at the top of the group any sub-groups underneath do not automatically get the same policies. Fine if you've got a small setup, not so great if you're syncing with a complicated Active Directory structure.

Does anyone know how to do this in Enterprise Console 4.0 or even with an SQL script? Can't find an option anywhere which I think is a bit lame.

:1719


This thread was automatically locked due to age.
Parents
  • 0

    Upon creation a group inherits the policies from it's parent. Afterwards This assignment is only changed when you use View/Edit Group Policy Details ... on the specific group (you might call it idiosyncrasy but ...). 

    A complicated (you did not use complex) AD group structure has probably not all attributes in the container tree. GPOs (themselves in some structure) might be linked to several containers and thus "overlay" yet another structure. SEC has a simple hierarchical model and you can either have "live" inheritance (whenever a parent's attributes are changed the are applied to the children) or no (or initial) inheritance. SEC has the latter. Since there are no general rules how to arrange the clients in groups children might not use the same policies as the parent. It's "least surprise" - imagine what happens if you inadvertently make changes to a "too super" group.  

    You could of course wish for an Apply to all subgroups option - but if you get it you (and everyone else) should use this with caution.

    As for SQL - you probably know I'm not faint of heart when it comes to hacking using undocumented interfaces. Have a look at the tables involved and you'll see that it's not easily written in a single statement.

    Oh - which type of policies?

    Christian

    :1740
Reply
  • 0

    Upon creation a group inherits the policies from it's parent. Afterwards This assignment is only changed when you use View/Edit Group Policy Details ... on the specific group (you might call it idiosyncrasy but ...). 

    A complicated (you did not use complex) AD group structure has probably not all attributes in the container tree. GPOs (themselves in some structure) might be linked to several containers and thus "overlay" yet another structure. SEC has a simple hierarchical model and you can either have "live" inheritance (whenever a parent's attributes are changed the are applied to the children) or no (or initial) inheritance. SEC has the latter. Since there are no general rules how to arrange the clients in groups children might not use the same policies as the parent. It's "least surprise" - imagine what happens if you inadvertently make changes to a "too super" group.  

    You could of course wish for an Apply to all subgroups option - but if you get it you (and everyone else) should use this with caution.

    As for SQL - you probably know I'm not faint of heart when it comes to hacking using undocumented interfaces. Have a look at the tables involved and you'll see that it's not easily written in a single statement.

    Oh - which type of policies?

    Christian

    :1740
Children
No Data