Login Script Policy will not run at OU level

K

KJ

I have created a logon.bat file which creates network
drives when a user logs in to their machine. When I apply
the script at the domain level it runs fine and all users
can see the network drives in Explorer. But when I apply
it at the OU level the script does not run. I have
created the hierarchy to be:

domain\OU\childOUs\globalgroups-then each user has been
added to their specified group.

I want to apply the login script at the OU level but the
only way it works is if I add a user directly under the
OU. Using the hierarchy I have created does not allow the
login script to run. Please advise. Thank you!
 
D

David Brandt [MSFT]

The behavior your seeing is how it is designed to work as policies will only
apply to objects and not groups (but group/s can be used in the security
permissions settings to help filter application), but you may want to take a
look at loopback policy processing;
231287 Loopback Processing of Group Policy
http://support.microsoft.com/?id=231287

253672 Expected System and Group Policy Behavior with Windows 2000 Clients
http://support.microsoft.com/?id=253672

315418 HOW TO: Optimize Group Policy for Logon Performance in Windows 2000
http://support.microsoft.com/?id=315418

822706 Synchronous and Asynchronous Logon Script Processing
http://support.microsoft.com/?id=822706

250842 Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?id=250842
--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
G

Guest

So if I add a group to an OU that has a GPO applied to
it, the users in that group will not have that GPO
applied to them? I found this article which says:

"In order to apply Group Polices to specific users or
computers, you add users (or groups) and computers to
container objects. Anything in the container object will
then get the policies linked to that container. Sites,
Domains and OUs are considered container objects."
http://www.svrops.com/svrops/documents/gpolicies.htm

I though the whole point of active directory was to
create a hierarchy..if you cannot add users to groups and
then put groups in OUs where is the hierarchy structure?
I appreciate your help.
 
C

Cary Shultz [A.D. MVP]

KJ,

I think that you are missing the point that David is trying to make. I am
referring to the security groups acting as a filter aspect to GPOs.

You can not apply Group Policies to a security group. This must be clear.
You apply GPOs to either the local computer, Sites, Domains or
Organizational Units. That just happens to also be the pecking order. So,
a GPO linked to an OU would 'win' should there be a setting that conflicts
with the same setting in a GPO linked to the Domain.

What David is trying to suggest is that you can, however, user a security
group to filter which users in an OU are affected by that GPO. Let take an
example to make this clear.

Let's say that you have an organization that decides to create OUs based on
Departments. So, we have an OU called DEPARTMENTS and sub-OUs. We have an
Accounting sub-OU, a Finance sub-OU, an IT sub-OU and a Sales sub-OU. Let's
say that each sub-OU contains some 150 user accounts ( except the IT sub-OU,
which has some six or seven user accounts ).

Let's say that for each sub-OU we create various GPOs that are vary specific
to each 'Departments' needs. Furthermore, let's say that there are
something like 12 GPOs that are applied. I am making this more detailed
than it probably needs to be but there is a point to all this! I promise.
As you can see, it might be a bit problematic to have to re-arrange things
as they are firmly entrenched in this set up.

Now, let's say that there is some software application that we need to
install to some 120 users ( 40 users from each of the three non-IT
sub-OUs ). We need to install it to the user configuration side of things
as it would need to follow them should any of them need to log on to a
computer other than his/her 'normal' computer.

How do we do this? If we create a GPO and link it to the Accounting sub-OU,
to the Finance sub-OU and to the Sales sub-OU then it applies to every user
account in that particular OU to which it is linked. This is because, by
default, the Authenticated Users group is given both read and apply policy
rights! We do not want this. We want it applied to only some 40 very
specific user accounts in each sub-OU. Herein lies the root of the problem!
See, I told you a bit ago that the point was coming! Here it is!!!!!

Here is how to resolve this dilemma: we can create a security group, add
the desired 120 user accounts to that security group and at the GPO simply
replace the Authenticated Users with the security group that we just created
and give it read and apply policy rights! Situation resolved!

I hope that this helps you to better understand what David is suggesting.

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

login Scripts not running 9
OU Structure 6
Block OU browsing but still apply policy? 12
LOGIN SCRIPTS AND OU'S 1
Password Policy at a OU Level. 2
What objects in an OU inherit Group Policies? 2
login script 8
Domain Security Policy vs. OU specific Policy 1

Top