Help applying GP to OU

O

OSU

I am trying to set a group policy on an OU that contains 2 terminal servers,
I want to set a few "User Configurations" under that GP for all users except
admins. I believe I set it but it does not seem to be applying. How would I
go about setting this and what security settings do I need to set. My AD
tree looks something like this

---AD
-------TS OU <-GP here, and would like to set "User Configurations" for
Users 1,2,3 but not 4
------------Server1
------------Server2
-------User OU
------------User1
------------User2
------------User3
------------User4 (Admin Group)

Thanks
 
C

Chriss3

Hey

Settings in the User Configuration will not take effect on computer objects.
if I understand your directory design. there is only computer objects in TS
OU. Only Computer Configuration can be applied to Computer objects.

if you want to prevent one OU, in your case User4 OU from inheritance policy
from a parent object. please follow:

a.. To block policy inheritance in a domain or organizational unit, open
Active Directory Users and Computers.
b.. To block policy inheritance in a site, open Active Directory Sites and
Services.
a.. In the console tree, right-click the site, domain, or organizational
unit in which you want to block Group Policy inheritance, and then click
Properties.
a.. Click the Group Policy tab, select the Block Policy inheritance check
box, and then click OK. This option is recommended, and it is selected by
default
 
S

Smelly

You could use loopback policy which will apply to users even if they are not
in the Termnal Server OU. Then Check deny on administrators under the GP so
it does not apply to that group.
Link to understanding loopback.
http://support.microsoft.com/default.aspx?scid=kb;en-us;231287&Product=win2000
Heres how. Worked great for me.
To set a loopback policy

1.. Create an OU to hold the computer accounts of the terminal server
machines to which you wish to apply the loopback policy.
2.. Move the computer accounts into the created OU.
3.. Create a group policy for the created OU. Set the permissions on it
accordingly to prevent application to administrative users.
If you want to have another policy applied to administrative users, then
create a separate policy with application permissions only for
administrative users and repeat the steps listed below.
4.. Edit the created group policy and apply all the user settings as
necessary.
5.. To make the policy work in loopback processing mode, open Computer
Configuration -> Administrative Templates -> System -> Group Policy.
6.. Double-click on User Group Policy loopback processing mode.
7.. Select Enabled then select the processing mode.
Replace is generally preferred to Merge because the results can be hard to
predict. In general, when in merge mode, settings defined in the Computer
GPOs take preference over those defined in the User GPOs.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GP for Terminal Server, why is it not being applied? 2
questions on group policy - OU vs local computer GP (gpedit.msc) 4
GP do not take effect 4
GP to a group 1
Group Policy Issue - Applying GP to a Windows 2003 Terminal Server 4
GP and Loopback problem 1
GP not applying to user 1
Applying Group Policies to OU 1

Top