Solved

What am I missing when I apply a GPO at an organizational level that doesn't take affect.

Posted on 2004-10-20
6
293 Views
Last Modified: 2012-06-27
Our PDC is a Win2K Server and I am using Active Directory.  I can apply GPOs to the Domain level successfully, however when I apply a GPO at an organizational level it does not take affect.

First, I created an OU: Under Active Directory Users and Computers, and under Groups, I selected Action from the toolbar and then New and Organizational Unit.  The name of this OU is GIS.

To apply a GPO I right clicked on the OU GIS, selected Properties and then the Group Policy tab.  I then selected the New button and named our GPO NORun. I then double clicked the NoRun GPO and selected User Configuration/Administrative Templates/Start Menu & Taskbar/Remove Run Menu from Start Menu, where I selected Enable from the properties.

Next I selected the OU GIS and right clicked to select New and Group.  The name of this new Global Security Group is GISEMP.  The next step was to double click the GISEMP group and select the members tab.  Using the Add button I selected user names to add and clicked OK.

When I login on the client, the policy has not taken affect. I used the GPResult.exe troubleshooting tool & the policy does not show as being implemented on the client?

Am I missing a step?
0
Comment
Question by:ttri
  • 3
  • 2
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 12364438
Hi ttri,

You need to put the users or computers in the GIS OU for GPO to be applied to those objects. Group ojects aren't effected by GPO, dispite by the name of GPO's, which would make you think that how it would work.

The reason GPO are working on the Domain level is that it's being applied to the computer and user objects in you AD tree in any OU by default.

Hope that helps
0
 
LVL 15

Accepted Solution

by:
harleyjd earned 250 total points
ID: 12364773
Because the users are not in the OU you are trying to edit youu're not going to have any luck.

Either move the users or move the GPO. You can apply the GPO by group by changing the security on the object to prevent the GPO applying to everyone else.

from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The easiest method is to remove (uncheck Allow) both the Read and Allow Group Policy ACEs for the group. Another method involves removing the Allow Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Allow Group Policy ACE to Deny for groups of users that do not require the policy.

Warning  Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs and ACEs, see Access Control.
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366215
There is another way; Simply add the group to the security tab of the GPO, and set the read and apply.
However, this circumvents the reson for using the OU, which is to make overall administration easier.
Good Luck
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 15

Expert Comment

by:harleyjd
ID: 12366256
casca that is part of what I posted, you just missed the important bit where it says to remove the "authenticated users" access
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366296
Sorry, wasn't trying to overpost you! I swear it! 8-)
Lord knows I tend to skim...
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366312
And yes, I did skim your response; Had to re-read (skim) to see it... Silly me...
But, all I was after was to point out the OU  wasn't the only place it can be applied (obvious) and that the OU had a much broader capability, thus encouraging the best practice method. 8-)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now