Apply Group Policy to OU

[sabns]

Hi There,

After searching all the keywords and FAQ's my problems are sort of answered in various thread but couldn't figure out my actual problem.

I am new to Win2k Server after upgrading it from Windows NT and wanted to apply group policies to different users in one OU or different OU's. I created a group in an OU and added users to the group for whom the policies should be applied. First the policies were implemented for the administrator account at the Domain Server later by adding the group in GPO properties to read and apply policy and by taking off Authenticated Users the problem was solved and the policies were ok for the user when logged in locally at the domain server but the same user when logged in at the Win2k Pro client machine the policies were bypassed. I tried with the DNS at the client machine which was on e of the reasons and gave the Domain Server as primary DNS. Again the problem exists and I tried with the GPResult at the command prompt of the client machine and the result was showing that the Group Policy was applied to the client from Domain Server but computer received "Registry" settings from these GPO's:Local Group Policy and computer received "EFS recovery" settings from these GPO's:Local Group Policy. This is my case history, I have spent long days trying to fix this problem and have gone crazy. If anyone in this forum could figure out my problem it would be of a great help to me. I am sure all our time is valuable.
Thank you. Sabrish

 

[JayKarabin]

try creating an ou. placing desired users and computer objects in that ou, then apply the GPO to the OU that they are all in. Should work fine.

try to just use "groups" for resource access, ie: file shares, printer access, etc...

watch what you apply at the domain level, if you apply a GPO at the domain level, and have "no-override" clicked, that GPO will be applied to all ou's in domain, including the DC ou.

I am desiging a W2K rollout, and have applied certain security settings at the domain, password policy, etc..

then went to each OU and applied GPO's per business needs and policies. This is just my way of doing it, I think, but I put the computer objects and user objects in the same ou, then apply the user settings, and computer settings to that ou. saves some confusion. ex: on ou might be "execs" and within that ou, you have your exec's user accounts and computers they will be working on, with a "less restrictive gpo". then another ou for "marketing" with the same setup, computer accounts and user accounts, but a more restrictive gpo, etc...

you can contact me at jkarabin@planco.com if you need some help getting started, but once you get the jist of GPolicy, you'll be fine.

Jason

 

[sabns]

Hi Jason, Thanks for your reply. I already tried with all what you have said. Domain level GPO is available only for Computer configuration that too for monitoring resources at the Domain level(which is not working and that is secondary). But at OU level no-override is activated and I think that shouldn't affect the OU level GPO's. As you said I wanted to create different OU's having groups with different GPO's but unfortunately I couldn't run even the first level at the client station. To make it clear I am applying only User Configuration GPO's. I have a question at this point the users login at their workstations (OS-Windows 2000 Professional) as local users, how can I check if they are loging as Domain users or how can I make them to login as Domain users, Could this be a reason for not applying the policies? Because with the same username when I login at the Domain server the policies are affected to that users but not at their client machines. I would appreciate you reply and any other suggestions. Have a good day! Sabrish

 

[JayKarabin]

ok. u might have some work to do!

sounds like you computers aren't in the domain. the server is in the domain.

on each client computer, right-click my computer icon, go to properies, then network identification(if w2k boxs), it if says a comp name and workgroup, the comps arent' in the domain, which means they aren't authenticating to the domain, just the local pc. so add the comps to the domain, then log on as the client.

there is lots of white paper on gpo and windows 2000 at micrsoft's web site and these forums.

if these are w2k boxs, you may have to copy the profile from the user when they were logging into the workgroup and put it in their new domain profile on the pc.

 

[tlcscousin]

They could also be members of the domain allready, and are just not logging into the domain. When you join the domain and then on the reboot, they need to go to the options button and select it on logon and then select the domain as where they want to logon from the drop down box that is available. This box is not available until they hit the options button the first time.

 

[sabns]

Great, Thank you very much Jay for the help and tips you gave me. And also to futuretech for giving me a tip, which is already noted however. Here is what I did, the client PC was not athuenticating to the Domain and so I added the client machines to the Domain and the policies were activated successfully at user level *great relief*. But, I have a question here, after adding the client stations to the Domain the computers are now shown along with the Domain server in My Network Place but earlier the clients were shown in separate groups like management, sales, accounting, ... so you go to entire network and then to sales if you want to see the computers under sales and so on but now it is all under Domain. Is there any way I can make the client PC's under groups though authenticating to the Domain? Your response will be highly appreciated. Thank you once again. Good Day! Sabrish