Actually, we do not care about group membership at all when applying GPOs.
After applying the GPOs associated with the machine account we then follow
the Local-->Site-->Domain-->OU processing path for the user account.
We do not perform any checks on group membership.
The reason for this can be summed up in the following scenario:
User 1 is part of Group A and Group B.
Group A is in OU=Marketing and Group B is under OU=Accounting which are OUs
at the same level in the AD hierarchy.
The GPO "Test GPO1" is linked to OU=Marketing and "Test GPO2" is linked to
OU=Accounting.
Test GPO1 sets a policy to a value of enabled.
Test GPO2 sets the same policy to a value of disabled.
Who wins? Because they are at the same level we cannot make the
determination.
This is why we do not follow the OU path for a group object. Only the
machine account and then user.
blim [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >From: "Mike Brannigan [MSFT]" <
[email protected]>
| >References: <
[email protected]>
| >Subject: Re: Multi-Forest and OUs, Groups
| >Date: Wed, 26 Nov 2003 18:38:24 -0000
| >Lines: 102
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| >Message-ID: <
[email protected]>
| >Newsgroups: microsoft.public.win2000.active_directory
| >NNTP-Posting-Host: tide135.microsoft.com 213.199.144.166
| >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:57648
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >| >> Can someone clarify this for me:
| >>
| >> I want to set up an account forest (Contoso.com) whereas user accounts
are
| >> contained. I then created a child forest (not domain)
| >Resource.Contoso.com
| >> as a resource forest. Here is the questions:
| >>
| >
| >There is no such thing a child Forest. A forest is unique instance of a
| >Active Directory Schema and configuration and is not related in anyway to
| >any other forest. The fact that you use a contiguous DNS namespace to
| >represent you NEW Forest Resource.Contoso.com in no way implies any
| >connection or ability to interact between these 2 forests.
| >
| >I will continue to answer your questions in the belief that you did
actually
| >mean a separate forest and not a child domain.
| >
| >
| >> 1. If I create a group which includes users (from Contoso.com forest)
and
| >> put in OU=accounting in Resource.Contoso.com , Will a GPO applied to
| >> OU=accounting work? i.e if usersA belong to group accounting and when
| >> he/she login a machine located in Resource.Contoso.com, the GPO will
then
| >be
| >> applied to him/her.
| >>
| >
| >To do this you would need to first put a trust relationship in place to
| >allow you to add user accounts to a group in a foreign domain.
| >The machine the user from Contoso.com will logon to may be under an OU
that
| >is subject to a GPO and this will obviously impact that machine - however
| >the user will be being authenticated by the Contoso.com and thus will be
| >subject to GPO's from the OU structure only in that Domain (Contoso.com)
as
| >it is the authenticating system.
| >There membership of a group in Resource.Contoso.com that may be under an
OU
| >that has a GPO on it is irrelevant since they are being authenticated by
the
| >Contoso.com domain.
| >
| >> 2. If one doesn't work, can I create groups in the Contoso.com forest,
| >and
| >> then OU=accounting in resource.Contoso.com contains the groups.
| >>
| >
| >Obviusly you can have a group in your Domain that is in an OU that has a
GPO
| >applied to it. A user account in this group will/may then be subject to
| >GPOs from that Site Domain and OU structure during logon
| >
| >> 3. Does Windows 2003 solve the problem?
| >
| >No, there is no problem here to solve. GPOs are processed for the
machine
| >from the Site,Domain and OUs that the machine is in. At logon a user
| >account processes the appropriate Site Domain and OU GPOs that are
| >applicable to it. From the domain that is authenticating to.
Membership of
| >groups in other OUs particularly in foreign forests in not going to cause
| >them to have GPOs applied to them since the foreign forest is not where
they
| >are being authenticated.
| >
| >What exactly are you trying to achieve ?
| >
| >>
| >> Thanks
| >--
| >Regards,
| >
| >Mike
| >--
| >Mike Brannigan [Microsoft]
| >
| >This posting is provided "AS IS" with no warranties, and confers no
| >rights
| >
| >Please note I cannot respond to e-mailed questions, please use these
| >newsgroups
| >
| >| >> Can someone clarify this for me:
| >>
| >> I want to set up an account forest (Contoso.com) whereas user accounts
are
| >> contained. I then created a child forest (not domain)
| >Resource.Contoso.com
| >> as a resource forest. Here is the questions:
| >>
| >> 1. If I create a group which includes users (from Contoso.com forest)
and
| >> put in OU=accounting in Resource.Contoso.com , Will a GPO applied to
| >> OU=accounting work? i.e if usersA belong to group accounting and when
| >> he/she login a machine located in Resource.Contoso.com, the GPO will
then
| >be
| >> applied to him/her.
| >>
| >> 2. If one doesn't work, can I create groups in the Contoso.com forest,
| >and
| >> then OU=accounting in resource.Contoso.com contains the groups.
| >>
| >> 3. Does Windows 2003 solve the problem?
| >>
| >> Thanks.
| >>
| >>
| >
| >
| >
