Applying Group Policy's to Users

[loacadmin]

I have created a new group policy and want to Apply it to a specific username. (training)

I have this set up already for another account (patron) but I want them totally seperate from each other.

I was wondering if anyone could give me some direction on this.

Thanks

 

[welshguy]

Hi

For a start i wouldn't apply group policies to a single user. If you only want one person - just create a group and put the user in it then apply policy to the group.
Even if there's only one user it's much better to do it like this and if you want other users to have the policy applied just stick them in the group.

Create the policy at the OU level of the user/group - then go to properties and security of the group policy and give the group read and apply group policy permissions - remember to remove apply group policy to authenticated users as this is set up by default and therefore will apply policy to all users in domain.

Hope this helps - any other questions please post

Cheers

 

[loacadmin]

Ok Thanks,

How do you apply the policy to the Group?

Thanks,
Ross

 

[welshguy]

Ross,

Just create the group - easier to create group in same OU as
group policy. Then select group policies - then highlight the policy you wish to apply - permissions then assign the group you have created and give it read and apply permissions.

Then any user placed in this group will have that policy applied to it. If you want this nay more detail let me know and I'll try and help.

Cheers

 

[loacadmin]

Thanks for your Responces,

That basically worked except that the "Training" username that I created is a member of the Standard Domain Users group as well, and so some of the settings that are applied to the Standard Domain Users group are also applied to the Training Username. If I take the Training username out of the Domain Users Group will that effect anything?

Thanks Again.

 

[welshguy]

Ross,

I think what is happening is that the Policies have the apply to all authenticated users permissions set. When you create a policy this is set as default which is annoying (although you can modify this via the schema).
It effectively means that any policy you create will apply to any users in the domain until you take this attribute off.

The policies at the domain level will be applied all the way down to users below - in this order LSDOU
Local, site, Domain, OU - unless they are blocked using block inheritance or explicitly denied.

A good design is to have a basic computer and user gpo at the domain or site level with the minimum policies you want applied to all objects - put things like minimum password length etc in there - but don't put too many settings in these policies otherwise it will cause headaches !
Bear in mind that policies that are applied at the domain level will filter down to objects below unless you specify otherwise.

Hope this clarifies a bit.

Cheers

 

[Guest_imported]

Create an OU and put the user that u want to have a group policy implemented on, goto properties of that OU, and click on add, then browse for the GP that u want to apply to this OU, select it and then click OK
Its going to b applied to the default users as well. so click on properties & then security and remove all the users xcept the one that u want this group policy to apply to

 

[Guest_imported]

Create an OU and put the user that u want to have a group policy implemented on, goto properties of that OU, and click on add, then browse for the GP that u want to apply to this OU, select it and then click OK
Its going to b applied to the default users as well. so click on properties & then security and remove all the users xcept the one that u want this group policy to apply to, make sure that apply GP check box iz markes in the security panel/window in the properties of the GP

 

[gazzanewpy]

I have found that unless you add the policies to the OU (through properties>group policies>add) the lower policies are not automatically assigned to the users or computers. I have also been told that the order of the additions and any new polcies is important. Windows works from the bottom up so that, unless inheritance is blocked, any lower filter setting that is not contradicted by a higher policy takes precedence. If there is conflict, the higher policy succeeds! Can anyone confirm this?

 

[gazzanewpy]

I can now correct myself. I have now applied GPOs to all my users from enheritance. Yousimply must plan carefully and double check any conflicts.

I do have an issue that when I move a user from one OU to another they do not always inherit the new policies. This has only happened a few times (about 5 users for 1000) but it is stillof concern.

I alsofind that sometimes the policies are not applied yet Resultant effects simply tells me that they were not applied though no reason is known. Strange.