users to multiple OU's

[Brian White]

How do you do this? I do not see any option in the right
click menus for adding a user to an OU. All I see is the
ability to move a user to an OU.
Brian White

 

[Herb Martin]

How do you do this? I do not see any option in the right
click menus for adding a user to an OU. All I see is the
ability to move a user to an OU.
Brian White

Users can only reside in ONE OU (directly) at any particular time.

An OU is a CONTAINER -- if you are in one OU, you cannot be in
another, except in the sense that your OU might be a child of another
OU and then you in some sense contained in the larger, higher level
container.

A Group is NOT a container. A Group is a "list" (even though almost
all of use ask "Is Fred in the Engineers Group?" etc.). Techinally we
should
say (no one really does this), "Is is LISTED in that Group? Or "Is he a
member of that group?"

Just like groups in real life, you can be in MANY groups.

Groups are about GRANTING privilege (permissions or rights.)
OU's are about DELEGATING authority OR LINKING GROUP POLICY.
Both are about managing objects in the OU.

 

[Brian White]

So, if I wanted user 'John Doe' to be a part of the "xyz"
OU which has certain policies, that's fine. Then, I
want 'John Doe' to be a part of another OU (call it "yyy")
with certain policies specific to it ("xyz" OU does not
contain these policies), then I should add 'John Doe' to a
group ('ggg'), then place that group ('ggg') in OU "yyy"?
Do I have the idea Microsoft had in mind?
Brian

 

[Enkidu]

No. You do not get a policy from being part of a group, you get it
from being in an OU (or Domain, or Site). You only have one policy at
each level, Site, Domain, and OU. The site GPO is applied first, then
the Domain GPO, then the OU GPO. You have to ensure that *all* the
policies that you want apply to OU that contains the user. A GPO can
apply to more than one OU.

Cheers,

Cliff

 

[Cary Shultz [A.D. MVP]]

Further to what Enkidu stated, you can link that GPO that is currently
applied to the 'YYY' OU to the OU in which John Doe resides. Now, naturally
this would possibly create a situation where all of the users in 'XYZ' OU
would receive the policies as well. Probably not what you want!

However, and here is where the idea of security groups comes into play, all
you need to do is create a global security group ( call it whatever makes
sense to you ), make John Doe's user account object a member of that
security group ( and anyone else that needs the GPO for that matter ) and on
the Security Tab of that GPO simply remove 'Authenticated Users' and replace
it with that 'John Doe' security group.

Now, this would cause another problem. The users in the 'YYY' OU would not
get it anymore. So, you might need to create another security group and
make all of the users in the 'YYY' OU a member of this security group.
Then, go to the Security Tab of that OU and add this security group. Do not
forget that you need to give each group both the "Read" and "Apply Group
Policy" rights....

HTH,

Cary

 

[Herb Martin]

So, if I wanted user 'John Doe' to be a part of the "xyz"

OU which has certain policies, that's fine. Then, I
want 'John Doe' to be a part of another OU (call it "yyy")
with certain policies specific to it ("xyz" OU does not
contain these policies), then I should add 'John Doe' to a
group ('ggg'), then place that group ('ggg') in OU "yyy"?
Do I have the idea Microsoft had in mind?

Nope. GPOs do not apply to Groups, only to users or computers (within
OUs, Domains, or Sites.)

The method recommended to achieve your apparent goal is the following:

Make a GPO that is to affect a subset of users; add users to group(s);
remove Everyone Read/Apply permission to GPO, and grant these
to ONLY those groups which should be affected. Now you can link
"higher" up in the hierarchy without affecting ALL users.

Note: This is NOT the best way -- generally you should make a strong
attempt
to design your OU hierarchy so that policies that affect all users below are
link
to a parent OU, and subsets of users are divided into child OUs as you go
down.