OU level

  • Thread starter Thread starter anonymous
  • Start date Start date
A

anonymous

Hi all,
I orginially setup my users under the users OU. Now I
realize that I needed to create an OU at the same level
as users so that I could add a group policy. (I now have
the group policy running under the entire domain). I want
to be able to put all my users say in a OU called NTusers
and leave the admin account under users then move the
group policy from the entire domain to only the ntusers
OU. All my users are members of domain users. My
question is would I move domain users group under ntusers
along with all my other groups that are setup such as
wins, dhcp ect or should I leave them under users? I'm a
little confused on just what rights a member of the
domain user group inherits.
Thanks in advance for any help on the best way to have a
group policy but not include admin and domain admins.
Sherry
 
Location of the domain users group has no bearing on what rights it bestows.
Basically look at permissions on objects and anywhere where you see domain
users, that means anyone in that group gets that access.

joe
 
Do you have to be a member of domain users in order to
access the domain? Also, I tested my first user under
the new ou which I setup a group policy. Both the new ou
for users and the old users have the same group policy.
The test user should get the logon.scr screensaver that
locks with the users network password but instead it just
allows user to go back to desktop without a password.
Under the group policy I setup logon.scr as the exe and a
timeout of 600 seconds.? Is the password not working
because it is trying to run both group policies. (The
user is a member of domain users which is under the old
user ou)
 
It depends on the security that is configured. It all comes down to ACLs, if you
need to know if a domain user can access something in particular, you look at
the ACL and it will tell you if domain users has access.

Groups the user are a member of does not impact gpo's unless you have done group
filtering which basically means you ACL'ed the group policy with a permission to
deny or allow certain groups. This is not something I tend to recommend as it
can be confusing and dangerous.

What happens when you do a gpresult on the user at the workstation?

Does the user have read access to the policy object in AD? Does the user have
read access to the text part of the policy in sysvol?
 
Back
Top