What objects in an OU inherit Group Policies?

K

KJ

Can you add users to a group and then groups to an OU to
inherit whatever policies have been configured? I found
this article which says:

"In order to apply Group Polices to specific users or
computers, you add users (or groups) and computers to
container objects. Anything in the container object will
then get the policies linked to that container. Sites,
Domains and OUs are considered container objects."
http://www.svrops.com/svrops/documents/gpolicies.htm

I am trying to configure a login script at the OU level
but it will not run. Inside the OU are two nested OUs.
Beneath the nested OUs are global groups which contain
users. The only way the login script will run is if I
take the users out of the group and stick them directly
inside the OU. This does not make sense to me. If you
have 2000 users does that mean you have to stick them all
into an OU for the GPO to apply? Doesn't this defeat the
herarchy structure?
 
U

Ulf B. Simon-Weidner

Can you add users to a group and then groups to an OU to
inherit whatever policies have been configured? I found
this article which says:

"In order to apply Group Polices to specific users or
computers, you add users (or groups) and computers to
container objects. Anything in the container object will
then get the policies linked to that container. Sites,
Domains and OUs are considered container objects."
http://www.svrops.com/svrops/documents/gpolicies.htm

I am trying to configure a login script at the OU level
but it will not run. Inside the OU are two nested OUs.
Beneath the nested OUs are global groups which contain
users. The only way the login script will run is if I
take the users out of the group and stick them directly
inside the OU. This does not make sense to me. If you
have 2000 users does that mean you have to stick them all
into an OU for the GPO to apply? Doesn't this defeat the
herarchy structure?
Click to expand...
Hello KJ,

the behavior is correct and expected. Group Policies are only applied to users
and computers traversing the hierarchy of OUs from the Object. If you need to
apply GPOs to a Group you have to define the Policy at a level wich is parent
of all users, and use the Access Control List (Security Tab, Read and Apply
Policy) to adjust the rights as needed. Now the users of the group will get the
policy, while others won't.

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
C

Cary Shultz [A.D. MVP]

Vielen Dank, Ulf.

Cary

Ulf B. Simon-Weidner said:
Hello KJ,

the behavior is correct and expected. Group Policies are only applied to users
and computers traversing the hierarchy of OUs from the Object. If you need to
apply GPOs to a Group you have to define the Policy at a level wich is parent
of all users, and use the Access Control List (Security Tab, Read and Apply
Policy) to adjust the rights as needed. Now the users of the group will get the
policy, while others won't.

Gruesse - Sincerely,

Ulf B. Simon-Weidner
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD OU and Security Group Structure 1
Multiple policies on single OU 3
OU Structure 6
Active Directory design 3
Creating user objects in different OU 7
Placement of computer objects in AD 3
CSVDE and LDIFDE 1
Applying Group Policies to OU 1

Top