Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 8267 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to apply policies to all sub-groups?

faygate

Been wondering for weeks why my client computers haven't been picking up my policies and it turns out that even if you set the policy at the top of the group any sub-groups underneath do not automatically get the same policies. Fine if you've got a small setup, not so great if you're syncing with a complicated Active Directory structure.

Does anyone know how to do this in Enterprise Console 4.0 or even with an SQL script? Can't find an option anywhere which I think is a bit lame.

:1719


This thread was automatically locked due to age.
Parents
  • 0

    Please don't make assumptions about other people's Active Directory structure

    I didn't - I explicitly stated that additional features are desirable in dealing with existing AD structures.

    ... filters all the way down unless it is specifically overridden at a lower level

    That's the point: you also need a way to "protect" a group from receiving the parent's policy (worse, you might want that for example the updating policy should be inherited while the antivirus should not). And then at one point you decide that all subgroups should receive the new policy and that the do-not-inherit should be ignored. Furthermore if you "override" the policy for a certain group - should this policy then propagate to it's subgroups or not? Do tell me that NTFS security is so much easier to manage than SEC's group policies and I'll shut up. And we've not yet talked about moving a group from one point in the tree to another.

    Again stressing least surprise - you might have forgotten that you've made an exemption somewhere "down below" and when you assign a new policy to an upper group ...

    I don't say that such a feature should not be added - I just want to point out that it's not as simple as it may seem at the first glance and therefore will take time to get implemented.

    Christian

    :1926
Reply
  • 0

    Please don't make assumptions about other people's Active Directory structure

    I didn't - I explicitly stated that additional features are desirable in dealing with existing AD structures.

    ... filters all the way down unless it is specifically overridden at a lower level

    That's the point: you also need a way to "protect" a group from receiving the parent's policy (worse, you might want that for example the updating policy should be inherited while the antivirus should not). And then at one point you decide that all subgroups should receive the new policy and that the do-not-inherit should be ignored. Furthermore if you "override" the policy for a certain group - should this policy then propagate to it's subgroups or not? Do tell me that NTFS security is so much easier to manage than SEC's group policies and I'll shut up. And we've not yet talked about moving a group from one point in the tree to another.

    Again stressing least surprise - you might have forgotten that you've made an exemption somewhere "down below" and when you assign a new policy to an upper group ...

    I don't say that such a feature should not be added - I just want to point out that it's not as simple as it may seem at the first glance and therefore will take time to get implemented.

    Christian

    :1926
Children
No Data