<p>I’m a little stumped on this one so I’m hoping someone can enlighten me, since I consider myself a pretty knowledgeable GPO person.</p>
<p>I have a login banner GPO that changes the <code>Interactive Logon:</code> settings within <code>Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies / Security Options - Interactive Logon</code> in order to display a login banner. That is the ONLY thing this GPO does.</p>
<p>NOW, my understanding from <a href="https://technet.microsoft.com/en-us/library/Cc779661(v=WS.10).aspx" rel="noopener nofollow ugc">Technet</a> and others online, along with my own past experiences is that you configure this in a GPO that is applied/linked to the domain level.</p>
<p>However, here at my current company <strong>our “LogonMessage GPO” is applied/linked to the Domain Controllers OU ONLY</strong>, and sure enough this GPO does apply to all computers in the organization.</p>
<p>I ran a rsop.msc for instance on my workstation and it shows it as the Source GPO for that setting, even though my workstation obviously is NOT in the Domain Controllers OU.</p>
<p>So what gives? Why does applying a login banner GPO to the Domain Controllers OU apply it to all computers in the domain?</p>
