Can someone please tell me how to get group policy to work with a security user group (or tell me whether one can use GP to work with user groups at all)? Here is what I did to set up things up. In AD I created an OU called Special Users and I dragged the “Special Users” security group from the “Users” folder in AD to this OU. I created a group policy object for this OU. Then I followed these directions on Microsoft’s website with the title “To filter the scope of Group Policy according to security group membership” to try to get the GP to apply towards this “Special Users” group
1. In the console tree, I right-clicked the icon or name of the Group Policy object, and then clicked Properties.
2. I then clicked the Security tab, and I added the Special Users group
3. In the Permissions box for the selected security group (in this case the “Special Users”, I selected the “Allow” check box next to “Apply Group Policy” and “Read”. I also cleared the “Allow” check boxes next to “Apply Group Policy” for the “Authenticated Users” group

I did the above configuration according to the table on this website: http://www.microsoft.com/resources/d...n-us/Filter.as

After all of that, I login as a member of the “Special Users” group, but nothing happened. Please note that if I put the users themselves into the OU I had created, everything works like a champ. It is only when I use the security group in the OU that things don’t work as planned

GPOs only apply to users and computer accounts that are located in the OU
where the GPO is applied, or a child OU of the OU where the GPO is applied.
If you apply a GPO to the domain, it will apply to all user accounts or
computer accounts.

Now, groups get involved ONLY from a standpoint of controlling the default
behavior, which is stated above. I can deny a group from applying GPOs, only
if the user or computer account is in the path of the GPO, as stated above.

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Carl" <(E-Mail Removed)> wrote in message
news:E48EB451-DDEC-416D-8B92-(E-Mail Removed)...
> Can someone please tell me how to get group policy to work with a security
user group (or tell me whether one can use GP to work with user groups at
all)? Here is what I did to set up things up. In AD I created an OU called
Special Users and I dragged the "Special Users" security group from the
"Users" folder in AD to this OU. I created a group policy object for this
OU. Then I followed these directions on Microsoft's website with the title
"To filter the scope of Group Policy according to security group membership"
to try to get the GP to apply towards this "Special Users" group:
> 1. In the console tree, I right-clicked the icon or name of the Group
Policy object, and then clicked Properties.
> 2. I then clicked the Security tab, and I added the Special Users
group.
> 3. In the Permissions box for the selected security group (in this case
the "Special Users", I selected the "Allow" check box next to "Apply
Group Policy" and "Read". I also cleared the "Allow" check boxes next to
"Apply Group Policy" for the "Authenticated Users" group.
>
> I did the above configuration according to the table on this website:
http://www.microsoft.com/resources/d...-us/Filter.asp
>
> After all of that, I login as a member of the "Special Users" group, but
nothing happened. Please note that if I put the users themselves into the
OU I had created, everything works like a champ. It is only when I use the
security group in the OU that things don't work as planned.
>

You got it!

You can, but NOTHING will happen if the group is the only object in the OU.
The user and/or computer object MUST be in the OU for GPOs to apply.

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Carl" <(E-Mail Removed)> wrote in message
news:A10E917D-7CD8-435A-B288-(E-Mail Removed)...
> Derek,
>
> So are you saying that you cannot apply a GPO to a "User Group" even if
the group has been placed inside of an OU?

Carl,

You are doing everything right to filter the GPO based on group membership.
You just need to make sure the actual User and/or Computer account (has to
be the object itself not group) is in the path of the GPO. So, apply the GPO
that you are mentioning to a level in the hierarchy where a couple of users
exist. Have one user int he "Special Users" group and the other with no
specific group membership. This should work out for you.

Kevin

"Carl" <(E-Mail Removed)> wrote in message
news:E48EB451-DDEC-416D-8B92-(E-Mail Removed)...
> Can someone please tell me how to get group policy to work with a security
user group (or tell me whether one can use GP to work with user groups at
all)? Here is what I did to set up things up. In AD I created an OU called
Special Users and I dragged the "Special Users" security group from the
"Users" folder in AD to this OU. I created a group policy object for this
OU. Then I followed these directions on Microsoft's website with the title
"To filter the scope of Group Policy according to security group membership"
to try to get the GP to apply towards this "Special Users" group:
> 1. In the console tree, I right-clicked the icon or name of the Group
Policy object, and then clicked Properties.
> 2. I then clicked the Security tab, and I added the Special Users
group.
> 3. In the Permissions box for the selected security group (in this case
the "Special Users", I selected the "Allow" check box next to "Apply
Group Policy" and "Read". I also cleared the "Allow" check boxes next to
"Apply Group Policy" for the "Authenticated Users" group.
>
> I did the above configuration according to the table on this website:
http://www.microsoft.com/resources/d...-us/Filter.asp
>
> After all of that, I login as a member of the "Special Users" group, but
nothing happened. Please note that if I put the users themselves into the
OU I had created, everything works like a champ. It is only when I use the
security group in the OU that things don't work as planned.
>