groups and OU's in ad

J

John

we have two ou's for accounts: "users" and "locationx".
the "users" folder is a default and it includes all those
groups and accounts that are created by default, and some
we have created. the "users" folder was derived from our
old NT 4.0 server network, and was brought in when we
upgraded to Win2k server. the "locationx" OU was created
for accounts for users at our new branch location, but all
user accounts in it belong to a group "domain users" in
the "users" folder.
SO IF I set security and policy on the "locationx" OU, is
it affected by security and policy on the "users"
and "domain users" objects?
In AD, in the domain tree, some icons are folders and some
are foders with a picture of a book, what does that mean?
CAN I move all my groups into a new OU called "groups" in
order to fine tune policy?
 
C

Chriss3 [MVP]

John,
What you seen as folders, are containers for compability with NT4.0 NET API.
also as you may noticed upgraded NT4.0 accounts are placed here. You can
move the groups and users into OUs. How ever I see now reason why you should
do this, note this may brake access and functions from NT4.0 systems.

You also talking about Group Policy, but I don't understand what you mean
there?

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
J

john

I have always found the inheretence of policy confusing,
but I understand the preferred method of applying policy
is through groups.
for " locationx" OU all accounts are default members
of "domain users" group, which is in the "users" folder.
if I create policy specific to "locationx" OU, will it be
overridden because the "domain users" group is in a
differnet folder?

SO IF I set security and policy on the "locationx" OU, is
 
C

Chriss3 [MVP]

John, You are not the only one so don't worry.

Group Policy Objects (GPOs) are applied only to the users or computers that
are members of the Organizational Unit (OU) to which the GPO is linked.
Groups that are placed in the OU have no effect during the processing of a
group policy. GPOs can only be linked to Sites, Domains and OUs, and not to
users and groups.

You can filter the scope of Group Policy according to security group
membership
http://www.microsoft.com/windows200...?url=/windows2000/en/advanced/help/filter.htm

What are the inheritance rules for Group Policy and Active Directory:
http://www.chrisse.se/MAQB.asp?ID=56

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Groups and OU's 3
Script to move user accounts and append to Groups within an OU 1
AD for Multi tenancy 0
Delegating Administrative rights to OU's 5
Migration with ADMT 1
AD OU Objects and Replication Performance 5
Strange membership issues 4
Active Directory design 3

Top