HayesJupe's Blog

November 20, 2012

Group Policy – Disabled SOM – ?

Filed under: Active Directory — hayesjupe @ 1:22 pm

I implemented SCCM 2012 for a client a last week and, as per our usual process, implemented an SCCM client health check script which runs as part of a computer start up script in a group policy object.

Came back after a few days – nothing had updated…. “odd” I thought…. but this client had some APPV clients that were still RTM, not SP1 as required for SCCM 2012 and also had disabled vbscript via an archaic method previously…. but the fixed for them seemed to be working.

After running RSOP (server side) and gpresult (client side) – I was getting “disabled SOM” as the reason my GPO was being denied…. never heard of that one before….

turned out, disabled SOM means “Disabled scope of management” and is commonly caused by using block inheritance in group policy…. as regular readers may know – I hate block inheritance… I think it is generally used poorly.

In this case, I was applying a site based policy – and someone had enable block inheritance at the domain level…. (which i’d never seen before)…. because sites are considered to be “above” the domain…. it meant site-linked policies were blocked.. got rid of the block – all was good.

Anyhoo – I thought that was both an odd and interesting one…. one that i’d never seen before and probably never will again!


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.

%d bloggers like this: