Applying GPO to an OU

[Mary]

I have created an OU and added a security group as a
member of that OU. I have also created a GPO on that OU,
and have changed the security permissions to apply the
policy to the users of the security group. However the
gpo's are not being processed when the user logs in. If I
move a user account into the OU the policies are being
applied. We would like to leave all of our user accounts
in the Users container, but use OU's to control GPO's.
How can this be done?
Thanks,

 

[Andrew Mitchell]

I have created an OU and added a security group as a
member of that OU. I have also created a GPO on that OU,
and have changed the security permissions to apply the
policy to the users of the security group. However the
gpo's are not being processed when the user logs in. If I
move a user account into the OU the policies are being
applied. We would like to leave all of our user accounts
in the Users container, but use OU's to control GPO's.

It doesn't work like that.
GPOs are applied to domains or OU's (as you have done) but only affect
computer or user objects on the relevant domain or OU - not security groups.
Security groups are only used to filter the application of the GPO to users
or computers that are contained within the domain or OU.

How can this be done?

The only way you could do it without moving the users out of the Users
container would be to create the GPO at the domain level, then set the
permissions on the GPO so that only the security group you have created have
Read and Apply Group Policy permissions to the GPO.

IMHO this is not the best way to go about it as you end up with all of your
GPO's defined at the domain level and defeat the purpose of the structuring
abilities that Active Directory provides. It also makes it a lot harder to
figure out which GPO's are going to take precedence.

You are much better off moving your users to a proper OU and defining the GPO
at that level, and only defining domain wide GPO's (such as password policies
etc) at the domain level.