Need explanation of why a particular GPO is applied to all domain computers

I'm a little stumped on this one so I'm hoping someone can enlighten me, since I consider myself a pretty knowledgeable GPO person.

I have a login banner GPO that changes the Interactive Logon: settings within Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies / Security Options - Interactive Logon in order to display a login banner. That is the ONLY thing this GPO does.

NOW, my understanding from Technet and others online, along with my own past experiences is that you configure this in a GPO that is applied/linked to the domain level.

However, here at my current company our "LogonMessage GPO" is applied/linked to the Domain Controllers OU ONLY, and sure enough this GPO does apply to all computers in the organization.

I ran a rsop.msc for instance on my workstation and it shows it as the Source GPO for that setting, even though my workstation obviously is NOT in the Domain Controllers OU.

So what gives? Why does applying a login banner GPO to the Domain Controllers OU apply it to all computers in the domain?

Solution 1:

Are you sure it is not linked at site level? You should check this in the GPMC, under Sites (right click and choose "Show sites" and show all the sites).

Solution 2:

For troubleshooting this type of issue you should use the GPMC (Group Policy Management Console) tool which helps you locate where your Group Policies are linked and who has rights to read them.