> Hi gurus
>
> Here is my problem, I have two containers on my AD, one name computers
> and the other one named workstation.
>
> workstation has a GPO attached to it, no matter who the user is , when
> logged into a computer that is within this container a bunch of policy
> applies.
>
> computers has no GPO attached to it, here is where I keep computers
> like the owner,admin and servers.
>
> When I want to do some installation to a computer that is within
> workstation container what I do is, I move this computer to the
> Computers container and I can d anything I want as the user and then
> when done move the computer back to workstation and all policies go
> back in place
>
> what could be the reason for a computer that has been moved from
> workstation container to computer container and still when logged into
> it as the user, all GPO for workstation follows this computer. I have
> tried to dettached from the domain and  attached to it, I force
> replication, but nothing.
>
> Thanks for all help I can get
>

"Meinolf Weber [MVP-DS]" wrote:

> Hello naguaramipana,
>
> You are mixing 2 things. In AD UC you have the "Computers" container, created
> by default where you can not link a policy to. Policies can be linked to
> "Organisational Units", "Sites" and "Domains" in AD.
>
> So the policy linked to the workstation OU will apply if the machine is in
> that OU. If you move it to the computers container the policy will change
> to the default domain policy, which is only partly taken over because on
> a contianer you can not link policies.
>
>
> I suggest to start reading about using policies within AD. Group policies
> will help you a lot to manage but is also a wide area of possibilities:
> http://technet.microsoft.com/en-us/library/cc740076.aspx
>
> http://technet.microsoft.com/en-us/library/cc738810.aspx#BKMK_sites
>
> http://technet.microsoft.com/en-us/library/cc778890.aspx
>
> http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi gurus
> >
> > Here is my problem, I have two containers on my AD, one name computers
> > and the other one named workstation.
> >
> > workstation has a GPO attached to it, no matter who the user is , when
> > logged into a computer that is within this container a bunch of policy
> > applies.
> >
> > computers has no GPO attached to it, here is where I keep computers
> > like the owner,admin and servers.
> >
> > When I want to do some installation to a computer that is within
> > workstation container what I do is, I move this computer to the
> > Computers container and I can d anything I want as the user and then
> > when done move the computer back to workstation and all policies go
> > back in place
> >
> > what could be the reason for a computer that has been moved from
> > workstation container to computer container and still when logged into
> > it as the user, all GPO for workstation follows this computer. I have
> > tried to dettached from the domain and  attached to it, I force
> > replication, but nothing.
> >
> > Thanks for all help I can get
> >
>
>
>

> M.
>
> Thanks a bunch for your reply
>
> This is the reason I called both objects Containers, I know that
> computers is by default and workstation is created as OU, but the
> problem and main question persist which is that once you move a
> computer from workstation OU container managed by GPO to computer
> object container which is not managed by a GPO  it should be bound to
> that object container GPO in this case NONE.
>
> why those this computer in particular semms to carry the Policy with
> it even when you move them to the computer object container.
>
> Thanks for battling
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello naguaramipana,
>>
>> You are mixing 2 things. In AD UC you have the "Computers" container,
>> created by default where you can not link a policy to. Policies can
>> be linked to "Organisational Units", "Sites" and "Domains" in AD.
>>
>> So the policy linked to the workstation OU will apply if the machine
>> is in that OU. If you move it to the computers container the policy
>> will change to the default domain policy, which is only partly taken
>> over because on a contianer you can not link policies.
>>
>> I suggest to start reading about using policies within AD. Group
>> policies will help you a lot to manage but is also a wide area of
>> possibilities:
>> http://technet.microsoft.com/en-us/library/cc740076.aspx
>>
>> http://technet.microsoft.com/en-us/library/cc738810.aspx#BKMK_sites
>>
>> http://technet.microsoft.com/en-us/library/cc778890.aspx
>>
>> http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.
>> aspx
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi gurus
>>>
>>> Here is my problem, I have two containers on my AD, one name
>>> computers and the other one named workstation.
>>>
>>> workstation has a GPO attached to it, no matter who the user is ,
>>> when logged into a computer that is within this container a bunch of
>>> policy applies.
>>>
>>> computers has no GPO attached to it, here is where I keep computers
>>> like the owner,admin and servers.
>>>
>>> When I want to do some installation to a computer that is within
>>> workstation container what I do is, I move this computer to the
>>> Computers container and I can d anything I want as the user and then
>>> when done move the computer back to workstation and all policies go
>>> back in place
>>>
>>> what could be the reason for a computer that has been moved from
>>> workstation container to computer container and still when logged
>>> into it as the user, all GPO for workstation follows this computer.
>>> I have tried to dettached from the domain and  attached to it, I
>>> force replication, but nothing.
>>>
>>> Thanks for all help I can get
>>>

> M.
>
> Thanks a bunch for your reply
>
> This is the reason I called both objects Containers, I know that
> computers is by default and workstation is created as OU, but the
> problem and main question persist which is that once you move a
> computer from workstation OU container managed by GPO to computer
> object container which is not managed by a GPO  it should be bound to
> that object container GPO in this case NONE.
>
> why those this computer in particular semms to carry the Policy with
> it even when you move them to the computer object container.
>
> Thanks for battling
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello naguaramipana,
>>
>> You are mixing 2 things. In AD UC you have the "Computers" container,
>> created by default where you can not link a policy to. Policies can
>> be linked to "Organisational Units", "Sites" and "Domains" in AD.
>>
>> So the policy linked to the workstation OU will apply if the machine
>> is in that OU. If you move it to the computers container the policy
>> will change to the default domain policy, which is only partly taken
>> over because on a contianer you can not link policies.
>>
>> I suggest to start reading about using policies within AD. Group
>> policies will help you a lot to manage but is also a wide area of
>> possibilities:
>> http://technet.microsoft.com/en-us/library/cc740076.aspx
>>
>> http://technet.microsoft.com/en-us/library/cc738810.aspx#BKMK_sites
>>
>> http://technet.microsoft.com/en-us/library/cc778890.aspx
>>
>> http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.
>> aspx
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi gurus
>>>
>>> Here is my problem, I have two containers on my AD, one name
>>> computers and the other one named workstation.
>>>
>>> workstation has a GPO attached to it, no matter who the user is ,
>>> when logged into a computer that is within this container a bunch of
>>> policy applies.
>>>
>>> computers has no GPO attached to it, here is where I keep computers
>>> like the owner,admin and servers.
>>>
>>> When I want to do some installation to a computer that is within
>>> workstation container what I do is, I move this computer to the
>>> Computers container and I can d anything I want as the user and then
>>> when done move the computer back to workstation and all policies go
>>> back in place
>>>
>>> what could be the reason for a computer that has been moved from
>>> workstation container to computer container and still when logged
>>> into it as the user, all GPO for workstation follows this computer.
>>> I have tried to dettached from the domain and  attached to it, I
>>> force replication, but nothing.
>>>
>>> Thanks for all help I can get
>>>

"Meinolf Weber [MVP-DS]" wrote:

> Hello naguaramipana,
>
> You should think about building an OU structure for your needs according
> to your company structure, let the default containers untouched, also do
> not change Default Domain and Default Domain controllers policy, always create
> new policies for your needs and link them also to the OU or Domain. On your
> structure have a OU for the computers with needed policies and for the users
> also. So you can define machine and user policies easy.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > M.
> >
> > Thanks a bunch for your reply
> >
> > This is the reason I called both objects Containers, I know that
> > computers is by default and workstation is created as OU, but the
> > problem and main question persist which is that once you move a
> > computer from workstation OU container managed by GPO to computer
> > object container which is not managed by a GPO  it should be bound to
> > that object container GPO in this case NONE.
> >
> > why those this computer in particular semms to carry the Policy with
> > it even when you move them to the computer object container.
> >
> > Thanks for battling
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello naguaramipana,
> >>
> >> You are mixing 2 things. In AD UC you have the "Computers" container,
> >> created by default where you can not link a policy to. Policies can
> >> be linked to "Organisational Units", "Sites" and "Domains" in AD.
> >>
> >> So the policy linked to the workstation OU will apply if the machine
> >> is in that OU. If you move it to the computers container the policy
> >> will change to the default domain policy, which is only partly taken
> >> over because on a contianer you can not link policies.
> >>
> >> I suggest to start reading about using policies within AD. Group
> >> policies will help you a lot to manage but is also a wide area of
> >> possibilities:
> >> http://technet.microsoft.com/en-us/library/cc740076.aspx
> >>
> >> http://technet.microsoft.com/en-us/library/cc738810.aspx#BKMK_sites
> >>
> >> http://technet.microsoft.com/en-us/library/cc778890.aspx
> >>
> >> http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.
> >> aspx
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi gurus
> >>>
> >>> Here is my problem, I have two containers on my AD, one name
> >>> computers and the other one named workstation.
> >>>
> >>> workstation has a GPO attached to it, no matter who the user is ,
> >>> when logged into a computer that is within this container a bunch of
> >>> policy applies.
> >>>
> >>> computers has no GPO attached to it, here is where I keep computers
> >>> like the owner,admin and servers.
> >>>
> >>> When I want to do some installation to a computer that is within
> >>> workstation container what I do is, I move this computer to the
> >>> Computers container and I can d anything I want as the user and then
> >>> when done move the computer back to workstation and all policies go
> >>> back in place
> >>>
> >>> what could be the reason for a computer that has been moved from
> >>> workstation container to computer container and still when logged
> >>> into it as the user, all GPO for workstation follows this computer.
> >>> I have tried to dettached from the domain and  attached to it, I
> >>> force replication, but nothing.
> >>>
> >>> Thanks for all help I can get
> >>>
>
>
>

"naguaramipana" <naguaramip***@discussions.microsoft.com> wrote in message
news:22A3F0B8-F26D-45BF-8D45-C1E0542EEF99@microsoft.com...
> M.
>
> Thanks again.
>
> I will try that revert option, I have never had this problem before with
> the setup as it is, I have a OU for all workstation that follow the same
> policies and I use and is untouch the computer container for computers on
> my
> domain that have no restriction whatsoever, is this what youa re talking
> about. becuase once I move one workstation computer to the computer object
> this moved computer takes on its own whatever restriction are on that
> container whihc is none.
>
> Thanks again, is just that is strange that with this particular computer
> the
> GOP follows no matter where it goes.
>
> Thanks a bunch
>
>
> "Meinolf Weber [MVP-DS]" wrote:

"Ace Fekay [Microsoft Certified Trainer]" wrote:

>
> "naguaramipana" <naguaramip***@discussions.microsoft.com> wrote in message
> news:22A3F0B8-F26D-45BF-8D45-C1E0542EEF99@microsoft.com...
> > M.
> >
> > Thanks again.
> >
> > I will try that revert option, I have never had this problem before with
> > the setup as it is, I have a OU for all workstation that follow the same
> > policies and I use and is untouch the computer container for computers on
> > my
> > domain that have no restriction whatsoever, is this what youa re talking
> > about. becuase once I move one workstation computer to the computer object
> > this moved computer takes on its own whatever restriction are on that
> > container whihc is none.
> >
> > Thanks again, is just that is strange that with this particular computer
> > the
> > GOP follows no matter where it goes.
> >
> > Thanks a bunch
> >
> >
> > "Meinolf Weber [MVP-DS]" wrote:
>
> Hello naguaramipana,
>
> As Meinolf mentioned earlier, it depends on the GPO setting that was applied
> to the machine in the Workstation Organizational Unit. Some are tatooted,
> others stick. So without knowing which settings you are referring to, it
> will be difficult to ascertain or give you a specific reason. As Meinolf
> mentioned, the ones that stick, need to be set to defaults or disabled in
> the GPO, then GPO must be refreshed on the machine.
>
> If you can elaborate on the GPO settings you have placed on the Workstation
> Organizational Unit, it may help us, or you can simply follow the link that
> Meinolf provided in his earlier post.
>
> Also, I agree with the keeping the terminology consistent. There are
> Containers, and there are OUs. An OU is a container, but is is a managed
> container. We always refer to them as OUs and not containers, for
> technically, that is what they are. When I first read your original post, it
> was a little confusing at first, but I understood what you were saying. But
> just for future reference, OUs and Containers are different animals.
>
> Also, I agree with Meinolf in that I believe you should have a more focused
> design on your OUs. OUs help with organizing domain objects (users,
> computers, groups, servers, etc) for a number of reasons from simple
> organization to Group Poicy Control. You can create an OU with the settings
> you want, then create another OU parallel to this OU (not under it), with
> the opposite settings that do not get removed, to revert them in order to
> take care of what you are trying to accomplish.
>
> Take a look at the following diagram to get a better visual of what I'm
> referring to, please.
>
> GPO Flow with Sites, Domains and OUs:
> http://fekay.com/supportblogs/gpoflow.jpg
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> ace***@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>
>

"naguaramipana" <naguaramip***@discussions.microsoft.com> wrote in message
news:AFD3DEAF-7AE5-4250-B8A0-631A49AA89B4@microsoft.com...
> thanks A and M
>
> I have 60 computers on this workstation OU, the GPO applied to this
> container are but no limited to the following
>
> cant open the properties on the machine
> cant shutdown the machine
> cant open control panel on the machine
>
> when dealing with profiles I sometimes need to get on the local computer
> and work directly on the user account, this will bring the problem that
> because no control panel can be access I cant work on anything in there
> locally. So what I do, is take or move temporally the machine to the
> computer
> object container and because the reason M explain the machine now has no
> GPO
> attached to it, so I can open control panel and wrok from there. This
> particular machine is not doing that.
>
> It seems like even thu I moved it to computer keeps its original GPO with
> it
> adn dont let me open control panel.
>
> Now if I understand right the machine is the one tattoed, the change on
> GPO
> has to be locally, where is this tatto located, I have to admit I have not
> read the link as of yet but I will. In a nutshell that is my problem , is
> the
> first machine that does this, but of cource there is a first time for
> everything.
>
> is tattoing locally to that machine or to the OU in which the GPO is
> apply,
> thinking it does not much sence to change the entire GPO of  a bunch of
> machine that only one that represent the problem.
>
> Maybe I am missing something here.
>
> Thanks for battling gurus