Using Groups in OU's

[Pat]

I have a OU under my domain called new ou. I put existing user groups
in the ou to pick up that ou's policy. the users who are in those
groups did not pick up any changes. I moved the user in the ou and the
policies were picked up. Am I not able to use user global groups under
ou's to assign gpo's?

 

[Pat]

Pat,

Steve is absolutely correct. Here is a little bit more
detail:

You can apply Group Policy at four levels: local, Site,
Domain and OU ( then sub-OU, sub-sub-OU, etc. ). In
addition, the order in which I listed the four is
the "pecking order". Meaning, if there is a Policy set at
the Domain level and it conflicts with a Policy set at the
OU level the OU level wins.

Let's take a look at the OU level since this is where most
of the work will be done!

You need to put the objects that you want affected by the
policy in the OU. By objects I mean user accounts and
computer accounts. PERIOD!

Now, when applying the Policy you can use Security Groups
to filter who is truly affected. You see, by default, the
group "Authenticated Users" is given Read and Apply Policy
permissions. Authenticated Users entails exactly that:
all authenticated users ( yep! even the Administrator
account ). You can simply remove that group and "replace"
it with any security group or user that you choose (
remember, though, that it is generally much better do use
groups ). So, instead of having "Authenticated Users" you
could, for example, have "No Internet Access" group.

Also, remember that there are two Default Policies: the
Default Domain Controllers Policy and the Default Domain
Policy. It is generally a really good idea to stay away
from those two policies. Anytime you wnat to do something
simply create a new one. You can, over time, "combine"
several policies into one.

Also, remember, if you are going to install software via
GPO that you can ASSIGN software to both the user
configuration as well as computer configuration but that
you can only PUBLISH software to the user configuration.
Also, do not forget about the ADVANCED option ( which is
useful if you ever want to use .mst files ).

I hope that this clarifies things for you.

Cary

ok, I have a OU under my domain, with usera, userb and userc. then in
the secruity tab of the policy I take out the authenticated users and
put in another group called gpo users. what is dictating who gets the
policy applied? the users being in the ou or the users being in the
group called gpo users?

 

[Cary Shultz]

-----Original Message-----


ok, I have a OU under my domain, with usera, userb and userc. then in
the secruity tab of the policy I take out the authenticated users and
put in another group called gpo users. what is dictating who gets the
policy applied? the users being in the ou or the users being in the
group called gpo users?
.

Pat,

The answer is BOTH! Well, remember, if they user accounts
are not in the OU to which the GPO is applied they will
not be affected by it ( meaning, it will not be applied to
them ). This is FIRST AND FOREMOST. Now, because you
have removed the "Authenticated Users" from the security
of that GPO and replaced it with "GPO Users" - and applied
both read and apply policy permissions - the users who are
a member of the Sercurity Group "GPO Users" will get it.
However, please remember that if the users are not in the
OU to which the Policy is initially applied ( or latter
linked ) they will not be affected by it.

Does this make sense?

cary

 

[Cary Shultz]

-----Original Message-----


Total Sense, a very good detailed answer.
now I want my new users to automatically be added to the gpo group
when created, is there a way to do this?
Pat
.

Sure,

Create a "template" user account, make it a member of all
the groups that are appropriate and simply use that as it
applies. If you need to create multiple "template" user
accounts do so.

And I need to correct myself. I mistakenly called "read"
and "apply group policy" PERMISSIONS. They are actually
rights. I was just not thinking properly.

Cary

 

[Pat]

Sure,

Create a "template" user account, make it a member of all
the groups that are appropriate and simply use that as it
applies. If you need to create multiple "template" user
accounts do so.

And I need to correct myself. I mistakenly called "read"
and "apply group policy" PERMISSIONS. They are actually
rights. I was just not thinking properly.

Cary

thanks again for the fast response,
Pat.

 

[Pat]

thanks again for the fast response,
Pat.

Cary,
we are not picking up the computer policies from the default domain
policy. If I put a computer in the group we used to replace the
authenticated users. it picks up the computer policies. So my question
is what group can I use so all computers are picking up the computer
policy? can I use the system group or create a new one and put all
computers into it?

 

[Cary Shultz]

-----Original Message-----

Cary,
we are not picking up the computer policies from the default domain
policy. If I put a computer in the group we used to replace the
authenticated users. it picks up the computer policies. So my question
is what group can I use so all computers are picking up the computer
policy? can I use the system group or create a new one and put all
computers into it?
.

Exactly! If you get rid of the Authenticated Users then
you need to replace it with some Security Group. BTW - I
would not necessarily mess with the Default Domain
Policy. Typically the one thing that you
could/would/should change would be the password policy.
Probably best to create a second/third/fourth policy and
apply that/those ( again, possibly using Security Groups
to filter ) for any domain-wide Policies.

HTH,

Cary