April 28, 2017 at 2:54 pm #13903
I have a question related to group policy preferences for file copying and their processing order w.r.t. parent/child OUs.
Background: I have an application that needs a “default” configuration file (binary) copied down for most of our domain. I also have a few departments that need their own versions of the same file with slightly modified custom settings per-department. Each department has their own child OU. Periodically I may need to change one or both the default or department-specific files in no specific sequence.
Question: Can I create a GPP that sits in the parent/root OU that copies this “default” config file for every department–except for those departments that need their own custom config file (they get their own)? Example:
—— MyApp-copy-config-default (\\server\share\MyApp\config-default –> C:\MyApp\config.txt)
——— MyApp-copy-config-department1 (\\server\share\MyApp\config-default-department1 –> C:\MyApp\config.txt)
——— MyApp-copy-config-department2 (\\server\share\MyApp\config-default-department2 –> C:\MyApp\config.txt)
Concern: I don’t know the order of how these file-copies get processed. I’ve always understood that a deeper-linked GPO will overrule any parent GPO. But this is GPP and not really a GPO. I assume it’s a single client side extension (CSE) that processes all relevant GPP “file” objects of all relative GPOs at the same time. So my concern is the ORDER in which the “file” tasks are completed. Is the CSE smart enough to process parent OU file tasks first and the deepest OU file tasks last? My ultimate concern is that depending on when the GPOs are created/modified or the order they are delivered to the clients by the domain controller, the DEFAULT file copy might happen after the DEPARTMENT-specific ones leaving those few departments with the default config instead of the one they need.
I know I can lab this up and just test it. But that doesn’t really tell me if something out of my control will ultimately break this concept. Or if there’s a better way to accomplish my end goal, please let me know.
FYI: Most of my file copies use “replace” and use the “apply once and do not reapply” setting so as to not continuously copy/overwrite the file unnecessarily. Whenever I’ve had to make changes to the source file on the server, I’ve always unchecked “apply once and do not reapply”, saved the GPO, then re-checked it again, forcing that GPP to copy the file ‘one more time’ per client.
ScottMay 1, 2017 at 8:28 am #13904
The order of processing for a given CSE always guarantees that the “closest” GPO link is processed last, and therefore wins. So in your scenario you should be fine. The only things that change that normal order are enforced flags on a link or Block Inheritance on a container (e.g. domain or OU).
DarrenMay 1, 2017 at 9:38 am #13905
You must be logged in to reply to this topic.
- Speaking in Chicago Next Month!
- Group Policy Storage Whitepaper Updated!
- Elevating AD Domain Access With Write Access on the Domain NC Head
- Performing a Denial of Service on AD–How Hard Is it Really?
- Protecting Active Directory–Making AD and Group Policy Less “Visible” to Attackers