User account in OU?

[Guest]

Hi,

I created an OU "SUS Test" and into an group "SUS Group". I´d like to
populate the group with users account from User Container, it´s possible? Or
the user account need to be in OU.

My objetive is to control the OU with GPO specific, i already tried to do
the scenario above but the policy wasn´t applied.

Thanks by help.

Hacinn

 

[Jeremy Hallock]

Group policy will apply to the users and computers (depending on the
settings you configure in the policy) within the OU or OU hierarchy
where you apply the policy. So if you configured a user policy setting
in a policy that is linked to the SUS Test OU, then the user object must
be in that OU or in a sub-OU for that policy to apply. If the policy
change is made in the computer configuration portion of the policy, then
the computer account must be in the OU or a sub-OU where the policy is
linked and applying.

The main reason to use groups when applying policies is to have a policy
apply to user1 but not user2, as an example. So you have user1 and
user2 in the Test OU where you create and link the policy, you create a
group, add user2 and remove the "apply group policy" checkbox to keep
that policy from applying to user2. If user3 is in the Prod OU, instead
of the Test OU where the policy is linked, even if you add user3 to a
group and set it to "apply group policy", the policy will not apply to
that user.

 

[Ryan Hanisco]

Hi Hacinn,

What Jeremy is describing is called GPO filtering. You apply the GPO to the
Domain, site, or OU and control to whom it applies through the GPO's
permissions.

I would point out though, that you seem to be trying to control SUS. If you
are making this group and GPO to manage SUS the you're on the right track.
If you are trying to control where the SUS applies, this is to the computer
account rather than the user account (SUS applies even when no one is logged
in). You need to apply the GPO to a container holding Computers and filter
against groups of computers.