Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

OU Policy

Posted on 2004-10-13
17
Medium Priority
?
627 Views
Last Modified: 2010-04-10
Hi guys,

How does it work we create an OU add computers in this OU but the policy linked to this OU are not being applied to the Computers....why not??
we always have to create a group and add this computer to the group before the GPO applies.... any idea??

Tenks
0
Comment
Question by:agbor1960
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
  • +1
17 Comments
 
LVL 1

Expert Comment

by:dagger3d
ID: 12297646
Check you Default Domain policy for inheritance settings. it ma be taking over anything below that.
0
 

Author Comment

by:agbor1960
ID: 12297687
so if i create a computer in this OU why do i have to add this computer into a group again??

Thanks
0
 
LVL 3

Expert Comment

by:_Jochen_
ID: 12297709
i think that is normal behavior. You always need a container object where can put in a object like a computer. The OU is not a container, isn´t it.
jo
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:agbor1960
ID: 12297757
ok, so i can't just crate an object like computer or user in an OU and link the GPOs to this OU??...

Thanks
0
 
LVL 3

Expert Comment

by:_Jochen_
ID: 12302256
yes, I think so.
It´s alway the best strategy to create Folders and put the different objects (Computers, Users, Printer, ...) into the folders.
jo
0
 
LVL 2

Expert Comment

by:wjc7662
ID: 12305119
Your computer can be located in an OU without group attachment.  Actually, Group Policy Objects linked to any container will not apply to security or distribution groups located under that container.  Since you are attempting to apply the GPO specifically to a computer, you need to make sure that the computer object has sufficient permissions to read AND apply that GPO.  Those permissions are applied on the security tab of the GPO.
I believe your problem is that GPOs typically apply to User objects that have already permissions assigned.  Then when the user logs onto a specific computer, the computer configuration is applied to the computer.
0
 

Author Comment

by:agbor1960
ID: 12305622
So, i could apply the GPOs to the OU.... but i rightclick the OU then Properties then chose the GPO and then take properties... or how do i give the apply and read permission to all the computers in this OU???

Thats my point....is it not to create a group and add each computer to that group??

Thanks
0
 
LVL 2

Expert Comment

by:wjc7662
ID: 12307736
by default, all computers that are members of the domain are added to the Domain Computers group.  You can use this group in you Access Control List instead of typing each computer in individually.  Since the GPO only applies to objects below it, the fact that you give read and apply permissions to all Domain Computers is not an issue
0
 

Author Comment

by:agbor1960
ID: 12308072
I know that, beside all the computers are not supposed to have the same GPO...and i also think that if you have crated
an OU with a couple of computers you must create the GPO and the GPO group to be able to filter the GPO ..... i just want to know if it is like this... or if i can create an OU and link a GPO
to that OU and do nothing more...meaning that all computer in that OU should get the GPO without groups--
Thanks
0
 
LVL 2

Expert Comment

by:wjc7662
ID: 12309149
Yes, a computer in a specific OU should automatically receive policies that are linked to its OU.
0
 

Author Comment

by:agbor1960
ID: 12309429
But i my case it's not like that.... i created an OU and then created computers in it... then created a couple of GPOs link them to the OU but...it always apply to the Authenticated users but i have only
computers in this OU...does it mean the only possibility i have is to create a group and populate it with computers???

Thanks
0
 
LVL 2

Expert Comment

by:wjc7662
ID: 12309557
Well, you wouldn't have to create a group, you can just use the domain computers group.  This won't make the policy apply to the entire group, it will just allow domain computers that are in the OU to read & apply.  It appears, at lest in server 03, that the only computers with any permissions to GPOs are Enterprise Domain Controllers.
If I'm not answering your question, I apologize.  I guess I'm not fully understanding.
0
 

Author Comment

by:agbor1960
ID: 12309632
i think you are answering well though.... so this means i create a policy link it the an OU and then just use the domain computers group i mean assign them read apply?? if it's what you meant...
could please give a link of this explanation??? maybe microsoft...
so how about if i don't want all the computers in this OU to get the all GPO??

Thanks
0
 
LVL 2

Accepted Solution

by:
wjc7662 earned 1000 total points
ID: 12309823
If you don't want all the computers in the OU to get the GPO you can either create a group with the computers you don't want to receive the policy and then Deny them Apply permissions or you could create a sub-OU and tell it to Block Policy Inheritance.
Try this Link regarding GPO Properties, including filtering:  http://support.microsoft.com/default.aspx?scid=kb;en-us;322176#3
0
 

Author Comment

by:agbor1960
ID: 12309916
Ok i will check that out and then i will get back to you.... thanks a lot for the quick responses....

Cheers for now,
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question