Here's the scenario: I have all of my users in an OU called "CompUsers". I have another OU called "CompDepts" where each dept in our company has its own OU underneath "CompDepts". In each dept is the group I created for that dept. For example, the "Accounting" OU is underneath "CompDepts" and in the "Accounting" OU is the group "AcctUsers". Now, obviously, all the users in Accounting belong to the "AcctUsers" OU. I created a test GPO that disabled the screensaver tab in Display properties and applied it to the "Accounting" OU. Then I Added the "AcctUsers" group to the Security of the GPO (by right-clicking on the GPO and selecting 'Properties') and checked the 'Read' and 'Apply Group Policy' boxes. I even took out Authenticated Users (I've even tested it with 'Authenticated Users' still in the security...to no avail) and did a 'secedit /refreshpolicy user_policy' on the PC I was testing it on and still no policy applied. I'm at wits end trying to figure this out. My whole OU structure is going to be based upon applying most of the GPO's to groups, not users. I didn't want to have keep moving users in and out of OU's and creating new ones and such everytime a new policy was created. Any ideas as to why this is not working? Anyone?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Group Policy not being applied to Groups
- Thread starter tosberg
- Start date
- Thread starter
- #3
DNS is fine. The policy works if I put the user himself in the "Accounting" OU, it is just that when the group is in there that it doesn't apply to all the members. Any other ideas as to what may be causing the groups not to work? Thanks!
Yeah sorry just reread your configuration. The problem is with your design - it's fine to use security groups to filter GPOs (in fact best practice as long as you remove auth users).
The problem here is that you need the GPO applied at the OU level which contains the user/computer objects. These can even be linked to the original OU.
Try and visualise your setup again - what we usually do is have a complete set of duplicate policies at the top of each OU.
So you have a common client policy (applied to all clients),
a policy for office users, one for RAS users all created at say the Accounting OU and also at the Sales OU etc. Then have a set of security groups to filter within the OU (like you are doing).
I can put this in an email for you (I've tried putting these structures on the board and it's hard work.)
Mail me at ngbconsult@btinternet.com and I'll send you some examples.
Cheers
The problem here is that you need the GPO applied at the OU level which contains the user/computer objects. These can even be linked to the original OU.
Try and visualise your setup again - what we usually do is have a complete set of duplicate policies at the top of each OU.
So you have a common client policy (applied to all clients),
a policy for office users, one for RAS users all created at say the Accounting OU and also at the Sales OU etc. Then have a set of security groups to filter within the OU (like you are doing).
I can put this in an email for you (I've tried putting these structures on the board and it's hard work.)
Mail me at ngbconsult@btinternet.com and I'll send you some examples.
Cheers
- Status
Similar threads
- Locked
- Question