bluespringsit
asked on
group policy for multiple groups
I have a user that is a member of two different user groups. How do I get two different group policies from two different OU's to apply to her.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
GPO's apply to user objects, not to groups.
every GPO that you need to apply to a user needs to be set above that user.
the only alternative to this is if you have specific machines where you want these users to have different settings
based on your requirements, it sounds like you have GPO's that apply to certain groups (not users)
apply all GPO's at the top level of the domain, and then restrict the ability to apply that GPO to the appropriate group
Then everyone part of that group (no matter what ou they are in) will apply the policy, and all users that are not in that group will not apply it.
P.S. I highly recommend GPMC for policy management. Very helpful additions to the interface
every GPO that you need to apply to a user needs to be set above that user.
the only alternative to this is if you have specific machines where you want these users to have different settings
based on your requirements, it sounds like you have GPO's that apply to certain groups (not users)
apply all GPO's at the top level of the domain, and then restrict the ability to apply that GPO to the appropriate group
Then everyone part of that group (no matter what ou they are in) will apply the policy, and all users that are not in that group will not apply it.
P.S. I highly recommend GPMC for policy management. Very helpful additions to the interface
The group policies can only be applied to the OU or container that the user resides in. You can't apply GPO's to groups. Her group memberships should not effect what policies are applied to the Container or OU where her user account resides.
What policy wise does she need that is different in the 2 policies. The easiest solution to this may be to just move her User object to the OU that has a less restrictive policy.
What policy wise does she need that is different in the 2 policies. The easiest solution to this may be to just move her User object to the OU that has a less restrictive policy.
I believe it can be done with Nesting.
You can only assign GPOs to OUs and Sub OUs only. If the user is in one group under one OU, then create another group and add the user to that group and have that group be nested in the appropriate group in the other OU. I know you can do this across domains (so it should work across OUs).
You can only assign GPOs to OUs and Sub OUs only. If the user is in one group under one OU, then create another group and add the user to that group and have that group be nested in the appropriate group in the other OU. I know you can do this across domains (so it should work across OUs).
were you able to try applying the policies with security filtering bluespringsit?
do you need more info on this?
do you need more info on this?
ASKER
Sorry it took so long to get back. I understand now how to nest the OU's to utilize the security settings, but I still have an issue. I am organizing active directory into OUs named after the departments. This particular lady is actually part of two departments, so she will need two different departmental drives mapped. What would you do in this case? I also have a set of internet explorer favorites that are set for one of the departments. Since you can only put a user object in one OU, and if those OU's are not nested, what would you do?
(summary of comments above)
create a group for each department
create a GPO for each department
set each GPO to only apply to members of the department group
apply all GPO's at the top level of the domain
only GPO's where the user is part of the appropriate group will apply
create a group for each department
create a GPO for each department
set each GPO to only apply to members of the department group
apply all GPO's at the top level of the domain
only GPO's where the user is part of the appropriate group will apply
ASKER