Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

What am I missing when I apply a GPO at an organizational level that doesn't take affect.

Our PDC is a Win2K Server and I am using Active Directory.  I can apply GPOs to the Domain level successfully, however when I apply a GPO at an organizational level it does not take affect.

First, I created an OU: Under Active Directory Users and Computers, and under Groups, I selected Action from the toolbar and then New and Organizational Unit.  The name of this OU is GIS.

To apply a GPO I right clicked on the OU GIS, selected Properties and then the Group Policy tab.  I then selected the New button and named our GPO NORun. I then double clicked the NoRun GPO and selected User Configuration/Administrative Templates/Start Menu & Taskbar/Remove Run Menu from Start Menu, where I selected Enable from the properties.

Next I selected the OU GIS and right clicked to select New and Group.  The name of this new Global Security Group is GISEMP.  The next step was to double click the GISEMP group and select the members tab.  Using the Add button I selected user names to add and clicked OK.

When I login on the client, the policy has not taken affect. I used the GPResult.exe troubleshooting tool & the policy does not show as being implemented on the client?

Am I missing a step?
0
ttri
Asked:
ttri
  • 3
  • 2
1 Solution
 
What90Commented:
Hi ttri,

You need to put the users or computers in the GIS OU for GPO to be applied to those objects. Group ojects aren't effected by GPO, dispite by the name of GPO's, which would make you think that how it would work.

The reason GPO are working on the Domain level is that it's being applied to the computer and user objects in you AD tree in any OU by default.

Hope that helps
0
 
harleyjdCommented:
Because the users are not in the OU you are trying to edit youu're not going to have any luck.

Either move the users or move the GPO. You can apply the GPO by group by changing the security on the object to prevent the GPO applying to everyone else.

from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The easiest method is to remove (uncheck Allow) both the Read and Allow Group Policy ACEs for the group. Another method involves removing the Allow Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Allow Group Policy ACE to Deny for groups of users that do not require the policy.

Warning  Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs and ACEs, see Access Control.
0
 
Casca1Commented:
There is another way; Simply add the group to the security tab of the GPO, and set the read and apply.
However, this circumvents the reson for using the OU, which is to make overall administration easier.
Good Luck
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
harleyjdCommented:
casca that is part of what I posted, you just missed the important bit where it says to remove the "authenticated users" access
0
 
Casca1Commented:
Sorry, wasn't trying to overpost you! I swear it! 8-)
Lord knows I tend to skim...
0
 
Casca1Commented:
And yes, I did skim your response; Had to re-read (skim) to see it... Silly me...
But, all I was after was to point out the OU  wasn't the only place it can be applied (obvious) and that the OU had a much broader capability, thus encouraging the best practice method. 8-)
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now