9

I'm a little stumped on this one so I'm hoping someone can enlighten me, since I consider myself a pretty knowledgeable GPO person.

I have a login banner GPO that changes the Interactive Logon: settings within Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies / Security Options - Interactive Logon in order to display a login banner. That is the ONLY thing this GPO does.

NOW, my understanding from Technet and others online, along with my own past experiences is that you configure this in a GPO that is applied/linked to the domain level.

However, here at my current company our "LogonMessage GPO" is applied/linked to the Domain Controllers OU ONLY, and sure enough this GPO does apply to all computers in the organization.

I ran a rsop.msc for instance on my workstation and it shows it as the Source GPO for that setting, even though my workstation obviously is NOT in the Domain Controllers OU.

So what gives? Why does applying a login banner GPO to the Domain Controllers OU apply it to all computers in the domain?

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • @joeqwerty Gotcha. I was thinking the message was post-login. Let's clean this up. – blaughw Jul 24 '15 at 22:18
  • No worries. It's a really interesting problem. None of the domains I looked at exhibit this behavior. – joeqwerty Jul 24 '15 at 22:26
  • I don't think rsop shows where the GPO is linked. gpresult should, in the Applied GPO's section ("Link Location"). You may want to enable group policy environment debug logging, and reviewing the gpsvc.log. It should show where the GPO's are being pulled from. Search for: `SearchDSObject: Searching – Greg Askew Jul 24 '15 at 23:13
  • @GregAskew: Good point. While RSOP shows the Source GPO for the setting in question, as you say it doesn't show where the GPO is linked. – joeqwerty Jul 25 '15 at 01:29
  • @GregAskew - yes, as stated it is only linked to the Domain Controllers OU. That's what prompted the question, it completely threw me for a loop as to how it is working that way. – TheCleaner Jul 26 '15 at 01:38
  • Was this GPO linked at domain level in the past and then unlinked later? Are you also sure it is not linked at site level? – duenni Jul 27 '15 at 13:51
  • @duenni - you are the freaking man. I had forgotten over the years about linking a GPO to a site, since it is so rarely done. Sure enough, almost all of our sites had this GPO linked. It was the only one set at a site link level and I never bothered to look close enough. Please make that your answer and I will accept. – TheCleaner Jul 27 '15 at 20:02

2 Answers2

8

Are you sure it is not linked at site level? You should check this in the GPMC, under Sites (right click and choose "Show sites" and show all the sites).

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
duenni
  • 2,959
  • 1
  • 23
  • 38
3

For troubleshooting this type of issue you should use the GPMC (Group Policy Management Console) tool which helps you locate where your Group Policies are linked and who has rights to read them.

Brian Lewis
  • 255
  • 1
  • 6