I've read in a few books that a good practice is to create your users, place them in a group and place the groups in an OU where you would apply the GPO. So far I can't get the GPO to work unless I put the user directly in the OU. If I do it like the book says, users in groups, groups in the OU, the policy doesn't apply. I also tried to add the group specifically in the security permissions on the OU but that did nothing. Any ideas on how to do this, or if this is the right way?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
GPO to OU to Group 1
- Thread starter sdime808
- Start date
-
1
- #2
BenChristian
IS-IT--Management
The GPO will only apply to user or computer objects in the OU. GPOs will not apply to users that are nested in groups.
Groups can however play a useful role in Group Policy becuase it is possible to prevent a GPO from applying to users if you deny the "apply group policy" right on the GPO. By denying the "apply group policy" right to a group, you can add users to that group and therefore prevent the GPO from applying for these users. I think this is were you may be getting confused.
If GPOs were to apply to users of groups in the way that you described it would be a major headache to manage when you consider that a user may belong to a large amount of groups.
Groups can however play a useful role in Group Policy becuase it is possible to prevent a GPO from applying to users if you deny the "apply group policy" right on the GPO. By denying the "apply group policy" right to a group, you can add users to that group and therefore prevent the GPO from applying for these users. I think this is were you may be getting confused.
If GPOs were to apply to users of groups in the way that you described it would be a major headache to manage when you consider that a user may belong to a large amount of groups.
- Thread starter
- #3
So to make sure I understand this correctly, I need to add users to OU's to apply the GPO and to a Security Group?
I was just thinking that when we have someone doing user administration, they have have to remember to move the the User from the OU and change the security groups. I guess I was thinking that if we were able to nest the groups in OU's we could change what group they belong to and that would change which OU and GPO that is applied.
btw, does anyone have the Sybex study guide book for 70-294? The diagram and explanation on pg. 243 seems to explain otherwise. But it seems like benchristian is right... Am I just reading it wrong?
I was just thinking that when we have someone doing user administration, they have have to remember to move the the User from the OU and change the security groups. I guess I was thinking that if we were able to nest the groups in OU's we could change what group they belong to and that would change which OU and GPO that is applied.
btw, does anyone have the Sybex study guide book for 70-294? The diagram and explanation on pg. 243 seems to explain otherwise. But it seems like benchristian is right... Am I just reading it wrong?
BenChristian
IS-IT--Management
For Group Policy to take effect, you only need to link a GPO to an OU that contains user or computer objects. By default, the 'Authenticated Users' built-in group has 'apply group policy' and 'read' permissions when you create a GPO. Lets say you have an OU that contains all of your North American users, but you wanted to make sure that users in New York were exempt from a particular GPO. To acheive this, you could create a security group (the actual group object can reside in any OU) and give it 'Deny' rights for the 'Apply Group Policy' and 'Read' rights on the GPO. You can then add the New York users into this security group. Because the users in that group don't have permission to apply the GPO, the GPO will be not applied to their user accounts. That's really the only time that Security Groups play a role in Group Policy.
I have the 70-294 Sybex book, and I took a look at the diagram that you referred to. I agree, it is rather confusing if you are looking that the diagram and thinking about how Group Policy works. I think that they're trying to inroduce Groups and OUs as a way of grouping user objects but the following text is particularly confusing:
Group policy doesn't apply to groups, so the last sentence is a bit misleading. I can see from reading that paragraph why you thought that group policy would apply to users nested in groups... confusing... I had a flick through the book, and found page 357. Take a look at 357 and the next few pages, it goes over what I explained above and includes an exercise so that you can implement it in your lab.
Ben.
I have the 70-294 Sybex book, and I took a look at the diagram that you referred to. I agree, it is rather confusing if you are looking that the diagram and thinking about how Group Policy works. I think that they're trying to inroduce Groups and OUs as a way of grouping user objects but the following text is particularly confusing:
Group policy doesn't apply to groups, so the last sentence is a bit misleading. I can see from reading that paragraph why you thought that group policy would apply to users nested in groups... confusing... I had a flick through the book, and found page 357. Take a look at 357 and the next few pages, it goes over what I explained above and includes an exercise so that you can implement it in your lab.
Ben.
- Status
Similar threads
- Locked
- Question