Is there a trick to link GPOs to Global Security groups? 2

[mskennicutt]

I have created a GPO in an OU that contains a global security group with one user (just testing at this point). The problem is that the only way to get the policy to apply when that user logs on is to actually move the user object into the OU. I have tried using the gpupdate command on the computer I'm logging on to (gpupdate replaced secedit /refreshpolicy for XP Pro) but it only works if the user object is in the OU with the GPO.

Does it need to be a domain local group instead of global in order to use group policies?

 

[ahalecitrix]

There are a variety of ways to apply Group Policy. OU's are basically containers that objects exist in within the domain. Groups are then used to apply, grant or deny permissions to objects in the domain.

You can apply the GP to the OU, but you can also specify the security permissions for the GP under it's properties. (Right click on the OU, go to properties and click on the Group Policy tab, then click on the GP you wish to view and click properties. Note that you can have more than one GP applied to any OU.)

From here you can specify who has permissions to read, apply or even deny the GP.

For example I put all of my user accounts in an OU called Corporate Users. I then apply two different GP's to the OU. One for Management and one for regular users. I create a global group called GP-Management and one called GP-Users. I then give permissions for the GP-Users group to read and apply the Users Group Policy and for GP-Management to read and apply the Management Group Policy. I also apply the Management GP second because it is less restrictive than the Users GP. Lastly I would deny both Group Policies from being applied to Domain Administrators.

I hope I explained that clearly enough.

 

[bluewhaleCA]

ahalecitrix:

Hi. Sorry to jump in, but I'm trying to finish a thread from a week ago which still has me confused. If I have user Joe can that user be in an OU or the users group but not be in both at the same time? I thought we could not apply NTFS rights directly to an OU, instead doing so with GPO's.. and if so, as we can't assign rights directly to the OU then membership in that OU would not count as that users only AD category to belong to. ?

Many Thanks



Paul

 

[ahalecitrix]

Let's look at it this way.

The OU is the physical location that an object, such as a user account exists in.

Let's use this scenario. We have a domain called usmilitary.local.

In this domain I create two user accounts: johndoe and janesmith.

John and Jane are both stationed at Camp Pendleton. Therefore I create an OU called Camp Pendleton. I place johndoe and janesmith in the Camp Pendleton OU.

John is a Corpal in the USMC and therefore I make him a member of the Domain Global Group called "Marine Corps" and Jane is an Ensign in the US Navy therefore I make her a member of the Domain Global Group called "Navy".

So now John and Jane are both in the Camp Pendleton OU, but John is a member of the group "Marine Corps" and Jane is a member of the group "Navy". The group membership will allow them to have certain privledges or NTFS permissions. Being a member of "Marine Corps" gives John access to the shared folder "M249 Squad Automatic Weapon" on the network. Jane on the other hand has access to the shared folder "Squid's Guide to Living with Jarheads". The access to these shared folders is controled by their respective group memberships.

Now I create two GPO's for the Camp Pendleton OU. I call one "GP-Marine Corps" and the other "GP-Navy". The same way I give groups access to shared network resources I give the Domain Global Groups permissions to apply the GPO. So I give the Group "Marine Corps" permission to read and apply the GPO "GP-Marine Corps" and the Domain Global Group "Navy" permission to read and apply the GPO "GP-Navy".

On the same token I may have another OU in the domain called "29 Palms". John and Jane cannot be members of the "29 Palms" OU because they cannot physically be stationed at two bases at the same time. The "29 Palms" OU can however have objects such as Sam Jones who is located in the "29 Palms" OU and is also a member of the Domain Global Group called "Marine Corps". However this OU does not have a GPO applied to it so Sam Jones does not have the "GP-Marine Corps" GPO applied to his account even though he is a member of the Domain Global Group "Marine Corps". The GPO "GP-Marine Corps" only exists at the OU "Camp Pendleton".

I hope that analogy will help clairfy.

 

[bluewhaleCA]

Sure does, thanks.
Question: doesn't AD have a category named USERS, and if one removes John, Jane or Spot from it then any rules or permissions that 'USERS' have would be lost to them? Or, perhaps, there is a difference between different security groups like Domain Users and the 'Users' category under AD Users & Computers ?


Paul

 

[mskennicutt]

Yes, Thank you ahalecitrix! It just threw me because the individual users automatically had permissions since they are in the domain users group, but now I understand that to allow a new group access to the GPO I need to specifically add the group to the permissions list.

 

[ahalecitrix]

Glad that helped. The default "USERS" folder under Active Directory Users and Computers is basically a default OU. So it is more or less just a container for USER accounts to reside by default. You have the freedom to utilize OU's to organize the AD in a way that makes logical sense for your organization.

 

[tcambridge]

I was going to reply to this but I saw your post ahalecitrix and you did an excellent job explaining groups and group policies!

You get a *STAR* and !!!



Tim
Certified AND Qualified

 

[mskennicutt]

DOH!
Back at work this morning and I tried your suggestion and I'm still missing something apparently?

Here is the situation:
I have an OU with a global security group (testgrp) inside. I created a group policy by going to the properties of the OU. I then checked the ACL of the new GPO as you suggested and added "testgrp" with read/apply group policy permissions.

I then ran "secedit /refreshpolicy user_policy /enforce" on the server

I ran "gpupdate /force" on the XP workstation I'm testing with and rebooted.

I logged back on with a user (mikeyboy) who is in the group "testgrp" but the policy was still not applied?

The only way I can get the policy to apply is if the user object itself is inside the OU that the GPO is linked to? What else could I be doing incorrectly?

 

[ahalecitrix]

mskennicutt,

Here is what I think is going on. An object must exist in the OU that can receive the group policy. I forgot to mention previously that a GPO cannot be applied to a "Group". It can however be applied to "Users" and "Computers".

Group Policy has two types of settings. User settings and Computer settings.

When you add the user to the OU the "User Configuration" settings for the GPO is applied to the user.

Now in many situations you don't want to put the user in the OU, but you want the user to receive certain "User Configuration" settings when logging into a particular computer. (This is a very common situation when using Citrix MetaFrame of Windows 2000 Terminal Services).

So if you want to control the user experience on this particular computer there is a way to apply the "User Configuration" settings to the User when logging into a particular OU.

Try this. Add the user's computer to the OU. Now go into the Group Policy and expand the "Computer Configuration" settings to the following location:

Computer Configuration\Administrative Templates\System\Group Policy

Here you will find a GP setting called "User Group Policy loopback processing mode". If you enable this, it is going to apply the "User Configuration" settings to the user when they logon to the computer in the OU.

I hope I explained that clearly enough. Thanks to Microsoft its a bit "cloogey" and not the easiest concept to grasp.

 

[JemimaS]

I create an OU called Edinburgh - location of office, and put all the Edinburgh users in it. I apply Group Policy etc etc. But I then have to create a group called Edinburgh to apply NTFS permissions on my file system.

Is this correct? Would it not be easier to have one large OU with all the users in it, and apply different GPOs to different groups?