LHA Consulting, Incorporated

So I've landed in Boston for Tech Ed 2006.  The flight up from Philly?  Gentle reader, I can't make this stuff up...the woman in the seat next to me soiled herself. I am going to take the longest shower of my entire life when I get to the hotel, and quite possibly burn my clothes.

But, hey ho, shake it off...I'm sitting in International Arrivals waiting for the Manchester flight to arrive, at which point we will run off for the Hilton and the aforementioned shower.

I've categorized this as 'tech', so while I'm sat here I'll share with you an interesting behaviour that I discovered yesterday in my prod environment: I wanted to set differing NTLM authentication levels for some of my clients[1], and was getting annoyed that GPO inheritance didn't seem to be working the way I thought.  To wit: I set an NTLM level in a domain-linked GPO, and then set a different one in a lower-level OU so as to minimize the number of machines affected. But the behaviour didn't change even after a gpupdate /force and a few reboots; RSoP still showed that the machines in the affected OU were using the domain setting.

Purely on a whim, I got rid of the setting in the domain-linked OU and ran RSoP again.  Whammo, the lower-level setting got picked up.  So now I'm intrigued: I create a child OU and configured GPOs to configure two different NTLM auth levels in ParentOU and ChildOU. gpupdate and RSoP bore out that the usual LSDOU inheritance order was working as I tried a few different permutations of "Disable GPO link on ParentOU and check, Re-enable link to ParentOU and disable link to ChildOU", and so on. But as soon as I re-enabled the NTLM auth setting in the domain-linked GPO, RSoP showed that the domain setting took over.

Is this a known behaviour that I just didn't find in Googling? (I know that, having said that, someone like Deji is going to immediately pop up with the correct URL reference, since my karma is just like that.  :-)) In the meantime, I find this sufficiently interesting that I'll try to replicate the behaviour in a pristine AD just to be sure.

[1] I have a single OU of machines that need to connect to a remote/untrusted SAMBA server that doesn't support NTLMv2. When asked, the admin of this server said that he had no interest in changing the configuration of the server to support NTLMv2 since (wait for it) "it's already working, why change it?" I would submit that if I need to downgrade the security of my environment to access his server, it actually isn't working and he just thought that it was.