Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Applying group policy to groups
- Thread starter tosberg
- Start date
- Thread starter
- #3
I'm not sure if that is true. if you look at thread 96-105783 they say you can. However, I've done everything they've said and it still doesn't work for me. You would almost have to have the ability to apply it to groups because adding it to just users is to restrictive. What if one user has some special policy? then you would have to create a new OU for every "special" policy and move those users into it. Hmmm....Anybody else have any suggestions?
2K is very flexible. I don't have AD in front of me right now (or I'd step you through it one by one.) But what I can remember is this:
Go into AD Users and COmputers. Find the OU that you are trying apply the GPO to. (I guess what you are saying is that there are only groups in this OU..no users. This is fine. I designed an OU structure similar to this...so I am familiar with what you are talking about.) Right click the OU and go to Properties. I think here you will see your GPO. Edit the GPO and look for Security TAB. (I can't remember exactly where it is.) After you find the security tab, you will see the security settings for this GPO. It looks a lot like NTFS permissions. By default, you probably won't see your GROUPS listed. So, you have to ADD your groups using the ADD button. Add the Groups that are listed in the OU. Then make sure you give the group READ and APPLY right. Also, make sure there aren't any unwanted groups listed...you can remove any that you don't need. Then try to login again...
_Hope this helps a bit.. Joseph L. Poandl
MCSE 2000
If your company is in need of experts to examine technical problems/solutions, please check out
Go into AD Users and COmputers. Find the OU that you are trying apply the GPO to. (I guess what you are saying is that there are only groups in this OU..no users. This is fine. I designed an OU structure similar to this...so I am familiar with what you are talking about.) Right click the OU and go to Properties. I think here you will see your GPO. Edit the GPO and look for Security TAB. (I can't remember exactly where it is.) After you find the security tab, you will see the security settings for this GPO. It looks a lot like NTFS permissions. By default, you probably won't see your GROUPS listed. So, you have to ADD your groups using the ADD button. Add the Groups that are listed in the OU. Then make sure you give the group READ and APPLY right. Also, make sure there aren't any unwanted groups listed...you can remove any that you don't need. Then try to login again...
_Hope this helps a bit.. Joseph L. Poandl
MCSE 2000
If your company is in need of experts to examine technical problems/solutions, please check out
- Thread starter
- #6
Joseph,
I've taken all the steps that you said and still no luck. Here's the scenario: I have all of my users in an OU called "CompUsers". I have another OU called "CompDepts" where each dept in our company has its own OU underneath "CompDepts". In each dept is the group I created for that dept. For example, the "Accounting" OU is underneath "CompDepts" and in the "Accounting" OU is the group "AcctUsers". Now, obviously, all the users in Accounting belong to the "AcctUsers" OU. I created a test GPO that disabled the screensaver tab in Display properties and applied it to the "Accounting" OU. I took the steps you specified: Added the "AcctUsers" group to the Security of the GPO (by right-clicking on the GPO and selecting 'Properties') and checked the 'Read' and 'Apply Group Policy' boxes. I even took out Authenticated Users and did a 'secedit' on the PC I was testing it on and still no policy applied. I'm at wits end trying to figure this out. My whole OU structure is going to be based upon applying most of the GPO's to groups, not users. I didn't want to have keep moving users in and out of OU's and creating new ones and such everytime a new policy was created. Any ideas as to why this is not working? Anyone?
I've taken all the steps that you said and still no luck. Here's the scenario: I have all of my users in an OU called "CompUsers". I have another OU called "CompDepts" where each dept in our company has its own OU underneath "CompDepts". In each dept is the group I created for that dept. For example, the "Accounting" OU is underneath "CompDepts" and in the "Accounting" OU is the group "AcctUsers". Now, obviously, all the users in Accounting belong to the "AcctUsers" OU. I created a test GPO that disabled the screensaver tab in Display properties and applied it to the "Accounting" OU. I took the steps you specified: Added the "AcctUsers" group to the Security of the GPO (by right-clicking on the GPO and selecting 'Properties') and checked the 'Read' and 'Apply Group Policy' boxes. I even took out Authenticated Users and did a 'secedit' on the PC I was testing it on and still no policy applied. I'm at wits end trying to figure this out. My whole OU structure is going to be based upon applying most of the GPO's to groups, not users. I didn't want to have keep moving users in and out of OU's and creating new ones and such everytime a new policy was created. Any ideas as to why this is not working? Anyone?
tlcscousin
Technical User
Authenticated users should be left in and have the read and apply group policy marked for them.As long as the admin account is not a member of the OU and does not have the apply set against them they should not be subject to the GP.
Try after setting the GP restart DNS. I have found that sometimes this seems to help (dont know why). If DNS is set up properly and working, you should not have to restart it but I have found that when something isnt working like it is supposed to restarting DNS will usually fix it.
Try after setting the GP restart DNS. I have found that sometimes this seems to help (dont know why). If DNS is set up properly and working, you should not have to restart it but I have found that when something isnt working like it is supposed to restarting DNS will usually fix it.
Agree about the DNS bit but definately not the authenticated
users bit.
By the way your set up is perfectly valid and is similar to many I've seen and set up. Disable read and apply for authenticated users and stick with your assignments by group - this method is advised by MS. I'm sitting here looking at a domain with 20,000 clients with GPOs all working this way.
It'll be the DNS settings on the client - you sound like you've read up on this - it's always the 'gotcha' with Group policies
users bit.
By the way your set up is perfectly valid and is similar to many I've seen and set up. Disable read and apply for authenticated users and stick with your assignments by group - this method is advised by MS. I'm sitting here looking at a domain with 20,000 clients with GPOs all working this way.
It'll be the DNS settings on the client - you sound like you've read up on this - it's always the 'gotcha' with Group policies
Also, you can run GPRESULT from the resource kit. This might help you troubleshoot GPO problems. Maybe the policy is being applied but there is a conflict or something.
(Check DNS on the clients...make sure they are pointing to a local domain Windows 2000 DNS server.) Joseph L. Poandl
MCSE 2000
If your company is in need of experts to examine technical problems/solutions, please check out
(Check DNS on the clients...make sure they are pointing to a local domain Windows 2000 DNS server.) Joseph L. Poandl
MCSE 2000
If your company is in need of experts to examine technical problems/solutions, please check out
- Status
Similar threads
- Locked
- Question
