Group Policy Object doesn't work!

[wolfej]

First, I have created a "testou" organizational unit in a win 2k domain and have populated it with one user called "testusr1." I went into the group policy configuration for this OU and enabled the policy to hide the active directory folder (testou properties, group policy object, user configuration, administrative templates, desktop, active directory, and finally, hide active directory folders, whew....)

Well, it doesn't work-- I can log on as testusr1 and I can browse my network places and browse my domain and browse the active directory just fine. Nothing seems to be hidden. Can anyone tell me what I might be doing wrong?

Second, I asked a question earlier today and have not received any replies--this is what I'd really like to do, but I don't know how to accomplish it. Can anyone help me out? The question is: I've got a win 2k domain with two additional organizational units. Each OU houses user and computer accounts. What do I need to do to prevent users from browsing active directory outside of their own OUs?

Thanks in advance.

 

[MattOP]

You need to revoke the READ rights from the Domain level and then only apply at the OU.

On the View menu in AD User & Computers make sure "Advanced" is on. Now go to the properties of the Domain level, Click the Security Tab, Highlight "Autheticated Users" and untick their READ right.

Now on the OU you want them to browse, go to properties | security and for Authenticated Users either tick READ or add a group containing users who are allowed to browse this OU.