Problems with applying GPOs

[SelbyGlenn]

Hi there,

I'm looking for a bit of clarification here.

My understanding of GPOs is if you set a user_policy on a GPO and add the GPO to an OU it will only take affect if the user resides in that OU. Correct?

Now what happens if all your groups reside in the standard USERS OU but the users are in specifically created Site OU's. You then create a specific user_policy GPO and assign it to one of the site OU's. You then set the security of that GPO by adding a group and enabling "Apply Group Policy" to that group. Now the users in that group are in the same OU as the GPO but the group is in a different OU. Will the GPO take effect?

I hope I haven't confused you too much!!!!

Thanks in advance!
Glenn
BEng A+ MCSE CCA

 

[koquito]

If you want an specific GP to aplpy to an specific Group of USers....Make an OU with an intuitive name for that group of users.If its better for you management, you can place that OU under the Users OU of your Domain, or just outside at the same level as all the dafault ones..
Then You will apply the GP to that particular OU, making sure, that those users that you choose, have the Apply POlicy and Read PErmissions under Policy Security.
I had a poblem recently applying policies...i found that the computers where i wanted the policy to be applied, didnt have the HOst record in DNS, didn't work despite the fact that i added the HOSt record manually..so i disjoined and joined back into the domain, and making sure they were using my domain DNS ..that way the record was added, and the policy started to be applied like a charm.
I hope this helps you..
A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!

 

[GrnEyedLdy]

SelbyGlen,

First question; Correct

Next, the USERS folder is not an Organizational Unit. It is just a container.

Does this help?

Patty

 

[SelbyGlenn]

Hi GrnEyeLdy,

I know the USERS folder is not an OU which is why I had to apply the GPO to one of the site OU's I created. But I've enabled the GPO for a certain set of users by setting the security for a group instead of adding all the specific users. Thing is though, all my groups are under USERS. So, will the GPO take effect?? Glenn
BEng A+ MCSE CCA

 

[GlenJohnson]

I've gotta do more research on OU's and such. I've always specialized in networking and rites. Gonna follow this one.

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@nellsgiftbox.com


"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[MisterNiceGuy]

No, your GPO will not apply to your users. The only GPO's that will apply to the default Users folder are those GPO's that are set at the root of the domain i.e. the Default Security GPO. You have to develop an OU structure and divide your users up into those OU's Then place your GPO's at each OU so that they only effect the users or computers you want them to apply to.

Alternately, you could place all your GPO's at the root of the domain(not recommended), restrict access to them by group membership and place the users into the appropriate groups. You have to realize that a GPO has a DACL(discretionary access control list) just like an OU or any other object in Active Directory does. The DACL's for these objects is similar to the DACL's you are familiar to using within an NTFS file and folder structure.

There is a lot to consider when developing a group policy implementation, so I recommend you do some testing with some basic group policies and make sure that you are fully understanding how they are applied, how they can be filtered and how they affect the end user or computer.

Group policies are applied by the computer or user object during domain logon. The first policy that applies is the local computer policy, then any policy applied to the site(determined by IP subnet) the user or computer is located at will be processed, then the policy at the root of the domain, then policies within the OU structure containing the user or computer object are processed in top down fashion, with the final policy applied being the one closes to the objects location. Whatever policy is applied last is effective unless a no over-ride policy is found on the way. That pretty much sums it up, so if you look at a user object in your domain, and traverse upward toward the domain, and do not see the policy you want to apply, then it won't. Adjacent policies are ignored. I hope this explanation is sufficient.

 

[koquito]

Your GP will apply to those under a particular OU with that policy applied to it. If your group of users are under that OU with that policy, then the policy will apply only to them ...
The security settings and the policies are different things...but related.The security setings are there to enable to read and apply (and/or grant less or more priviledges on) the policies.


A+, MCP, CCNA
marbinpr@hotmail.com

Keep fighting for your knowledge!