Chris,
This is a very common question. A good place to ask Group Policy
questions - in addition to this specific news group - is the
microsoft.public.win2000.group_policy news group. I am only including this
information in the case that you are unaware of the Group Policy news group.
Anyway, I think that figured out the answer. A group policy linked to an OU
will work as long as the objects that are to be under the influence of that
GPO reside directly in that OU. So, as you have discovered, you need to
make sure that the user account objects or computer account objects are
located directly in that OU. You can create a security group in that same
OU and make all the user account objects of that OU members of that group if
you so choose.
Let's take an example:
Say that you have created OUs based on the departments in your company. So,
you would have a Marketing OU, a Sales OU, a Finance OU, an HR OU and an IT
OU. You create all of the appropriate user account objects and move them to
the correct OU ( since, by default, user account objects will be placed in
the USERS container ). Now, due to the way that your file server security
is needed to be set up, you create a Global Security Group ( you can also
create a Local Security Group...some would argue that this would be more
appropriate ) for each department ( Marketing, Sales, Finance, HR and IT ).
You can, if you so choose, put the Security Groups in the appropriate OU or
you can create a separate OU called 'Security Groups' or you can keep them
in the default USERS container. It does not matter. Simply make the user
account objects a member of the appropriate security group and you are good
to go.
Now you create a GPO and link it to the Marketing OU. As long as the user
account objects are directly located in the Marketing OU the GPO will work.
Now, what is Security Group Filtering? Look at the security tab on the GPO.
You will see that Authenticated Users is given the READ and APPLY GROUP
POLICY rights. Security Group Filtering is when you remove the
Authenticated Users security group from the security tab of the GPO and
replace it with another security group ( like, for example, the Marketing
security group that you created ). You just need to remember one thing when
doing this - you can create a GPO and link it to a particular OU ( this is
done when you create the GPO initially generally ) but you can go back later
and use that GPO that you created and link it to other OUs. If you remove
the Authenticated Users security group and replace it with another security
group then you might have a problem with that GPO functioning properly when
it is linked to other levels ( typically, but not always, another OU ).
Does this make any sense?
HTH,
Cary
