groups in group Policy? 2

[rocker40]

I have been unable to get a group to work in a group policy. I made a test OU and applied a group policy to it.
Then I made a security group and added 2 users to it. When I added the group to the OU the policy is not applied ?
If I just move the users over from USER OU into the test OU the policy does Apply. There is no group policy applied to the user OU. I would like to put them under this OU in groups incase I need to add them to a addtional OU in the train.
I had some step by step instructions I looked up on google but no luck with them either.
Can any body help with this?

 

[aznluvsmc]

Group policies ONLY apply to user and computer objects. So in your case, since only the group itself exists in the OU and no actual user objects, there's nothing to apply the GPO to.

The default Users folder in AD Users and Computers is a container and not an OU. If you want a GPO to apply to objects in the Users container you must apply the GPO at the domain level.

Hope that helps.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[rocker40]

Thank you aznluvsmc
So if I have a security group in the users container and have group policy applied to it at the domain level and I create a OU under the user container and move user into it ... the group policy at the domain level still applies to the security group ?
then I could create a group policy at the OU level Too for the individual user?
as long as the 2 don't conflict? or I select no override on one of them?

 

[aznluvsmc]

GPO's never apply to security groups. When you apply a GPO at the domain level it will apply to user objects since they exist under the domain.

I don't think you can create an OU under the Users container but I could be wrong.

If you create an GPO at the Domain level and then create another one at an OU level, the lower level GPO will take precendence in the case of a conflict. If the settings can be merged that it will be merged.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[rocker40]

So I cannot put a user under different OU's ?
I notice I am only allowed to MOVE a user from the USER container to a OU and so on.
I looked up these instructions for folder redirection in a group policy and it said to make a security group then apply the policy at the domain level. But if group policies don't apply to security groups then I am lost.

What would I use a security group for then?
I notice I am allowed to make them under a OU

thank you

 

[aznluvsmc]

A user object can only exist in one OU or container at any given time but they can be a member of any number of groups located in any number of domains or OUs.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[rocker40]

Could you give a quick example of what a security group would be used for then? or why I would put users into groups if I can not apply policies to them ?
thanks
Dave

 

[aznluvsmc]

You would put users into groups to ease the administrative overhead of assigning permissions. Imagine everyone in the Sales dept. needs access to the Sales folder. Now this dept. is 100 people strong. Do you really want to assign the same permission over 100 times for each user? No, it's easier to put everyone in the Sales group and then assign the Sales group permission to access the folder.

Another benefit of assigning permissions to groups instead of users is to limit server resource usage. The more entries there are in an access control list (the list of permissions each object holds) the more CPU and memory the server needs to process that.

Steven S.
MCSA
A+, Network+, Server+, i-Net+

 

[mlichstein]

Keep in mind that you can filter who gets a GPO by giving different groups of users the apply group policy permission.

This way you can have multiple GPOs on one OU, and different users in that OU can get different GPOs.

This method is not the easiest way to administrate GPOs though, and can become confusing.

 

[rocker40]

HI mlichstien
So lets say I have a sales OU . I have 4 users in it. I could create 2 groups of 2. Then there is one group policy that I want to apply to 2 of them and another to the other 2. I could create 2 group policies and apply one to one group and the other to the other group? BY using the apply group Policy Permission?

 

[markdmac]

Hi Rocker40,

Looking at the threads above it seems you have gotten a mix of both accurate, confusing and somewhat inaccurate advice.

A user object can only exist in one OU. Just like you personally can only be in one place at one time. You can move a user object to a different OU if needed.

You can not create a child OU under the Users container as it is a BuiltIn OU. Still it is an OU, use ADSI Edit to get its LDAP path if you need it for scripting.

You can apply a group policy to a Security Group. This is the preferred method. You would not want to have a list of a thousand users in a GPO's security settings as this would be wholely unmanageable.

The problem you have described above if I understand your post correctly is that your user objects exist in one OU and your policy exists in another OU which is not an UPLEVEL OU. Group policies flow downward to the user object. Using a security group is kind of like making the decision to apply to policy an 'AND' situation. If the user exists under the OU the policy is applied to 'AND' they are a member fo the specified group, then apply the policy. If you do not wish to move your user objects, then put your GPO up at the domain level. So long as you are setting the security settings correctly, this GPO will only affect your test group and have no impact on the rest of your users.

As was stated above, a lower level GPO can change settings from an upper level GPO. This can be prevented by choosing the NO OVERRIDE setting for the specific GPO.

Make sure that when setting the security for your GPO that you specifically set DENY to your Admin IDs. Nothing hurts more than locking donw the Admin.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[mlichstein]

You can not create a child OU under the Users container as it is a BuiltIn OU. Still it is an OU, use ADSI Edit to get its LDAP path if you need it for scripting"

Users is not an OU, it is a container. It's LDAP path is CN=Users,DC=domain,DC=com.

This is why you can't link GPOs to Users, and you can't create a child OU under it.

 

[rocker40]

Markdmac....

I created a OU called 'test' Then I created a test group called 'testgroup' with three users in it under that OU. I also added the users under the OU.
I applied a group policy to the OU. In the properties of the GPO I selected the security tab and added the testgroup then I checked to apply group policy for the group. I also denied the policy to the admin .
When I log in as a user that is under the OU but not in the group the policy still applies? I thought by reading what you wrote below that by setting the group I could have multiple users under the OU but could specify by using security settings in the GPO that it was only applied to the group or groups I added? Or for it to not apply do I have to specificly DENY it to a user or groups in the security settings?

"If the user exists under the OU the policy is applied to 'AND' they are a member fo the specified group, then apply the policy."
Thank you so much for your help so far!

 

[markdmac]

Hi Rocker40,

Do a check of all of the entries in your security settigns for the test GPO. By default Authenticated Users is added with the Apply already checked. You most likely need to clear this to have the policy not hit the test user that is not part of your group.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[BOFH1]

markdmac do you recommend leaving all users in the default users container then putting them in groups then putting the groups into OU's as opposed to moving users into OU's as you create them?

I was under the impression that users were put into OU's and not groups, so i move mine out of the users container into OU's as other wise there would be 2000 users in there.

 

[markdmac]

i think that totally depends on your environment. There are advantages to each method. Having all of your users in one place makes it easier to find the user objects if you are scripting.

However, I prefer to move the users to the OU. The main reason I think this is a good idea is because it lets you delegate rights over those users and only those users.

I just converted a credit union this weekend to Win2K3 and Exchange2K3. I created an OU for each bank branch, moved the computers for that brach into a computers OU in the Brach OU and moved the users to a Users OU under the Branch OU. The IT staff at the credit union can now delegate the right to unlock accounts to the Branch Manager for that site. This manager will only have the ability to unlock accounts in their own OU and not manage users from another branch. Having the computers in their own OU (and creating a group for those computers) makes it easier to manage those computers as a subset. We did just that by pushing out Outlook 2003 one Branch at a time.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[BOFH1]

Yes thanks i have created seperate OU's and placed all of my users in them according to their location and needs.

Thanks for the input it's nice to find out how other people do things.

 

[rocker40]

Thank you mark That was it .
I still had authenticated users checked to apply in the security settings of the group policy.

I have one other problem yet. I am trying to share a folder thru group policy. I wrote a simple script like I would if just making a .bat file
net use G: \\servername\folder and I put this under the logonscripts in the group policy but no luck it did not work.
I would like to have this folder applied thru group policy and then apply it to a group.
Could you help with this one?
Thanks
Dave

 

[kmcferrin]

If you mean under User Settings - Scripts - Logon, I believe that those scripts need to be VBS, don't they?

 

[rocker40]

I was wondering about that thank you I will try that.