What am I missing when I apply a GPO at an organizational level that doesn't take affect.

Our PDC is a Win2K Server and I am using Active Directory.  I can apply GPOs to the Domain level successfully, however when I apply a GPO at an organizational level it does not take affect.

First, I created an OU: Under Active Directory Users and Computers, and under Groups, I selected Action from the toolbar and then New and Organizational Unit.  The name of this OU is GIS.

To apply a GPO I right clicked on the OU GIS, selected Properties and then the Group Policy tab.  I then selected the New button and named our GPO NORun. I then double clicked the NoRun GPO and selected User Configuration/Administrative Templates/Start Menu & Taskbar/Remove Run Menu from Start Menu, where I selected Enable from the properties.

Next I selected the OU GIS and right clicked to select New and Group.  The name of this new Global Security Group is GISEMP.  The next step was to double click the GISEMP group and select the members tab.  Using the Add button I selected user names to add and clicked OK.

When I login on the client, the policy has not taken affect. I used the GPResult.exe troubleshooting tool & the policy does not show as being implemented on the client?

Am I missing a step?
ttriAsked:
Who is Participating?
 
harleyjdConnect With a Mentor Commented:
Because the users are not in the OU you are trying to edit youu're not going to have any luck.

Either move the users or move the GPO. You can apply the GPO by group by changing the security on the object to prevent the GPO applying to everyone else.

from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The easiest method is to remove (uncheck Allow) both the Read and Allow Group Policy ACEs for the group. Another method involves removing the Allow Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Allow Group Policy ACE to Deny for groups of users that do not require the policy.

Warning  Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs and ACEs, see Access Control.
0
 
What90Commented:
Hi ttri,

You need to put the users or computers in the GIS OU for GPO to be applied to those objects. Group ojects aren't effected by GPO, dispite by the name of GPO's, which would make you think that how it would work.

The reason GPO are working on the Domain level is that it's being applied to the computer and user objects in you AD tree in any OU by default.

Hope that helps
0
 
Casca1Commented:
There is another way; Simply add the group to the security tab of the GPO, and set the read and apply.
However, this circumvents the reson for using the OU, which is to make overall administration easier.
Good Luck
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
harleyjdCommented:
casca that is part of what I posted, you just missed the important bit where it says to remove the "authenticated users" access
0
 
Casca1Commented:
Sorry, wasn't trying to overpost you! I swear it! 8-)
Lord knows I tend to skim...
0
 
Casca1Commented:
And yes, I did skim your response; Had to re-read (skim) to see it... Silly me...
But, all I was after was to point out the OU  wasn't the only place it can be applied (obvious) and that the OU had a much broader capability, thus encouraging the best practice method. 8-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.