i want to setup a GPO for our users and a GPO for the administration on the network...meaning, the managers of all the departments.
now, on my test server that i play around on, in AD i created 2 new OUs. Office Users and Administration.
in group policy editor, i made a GPO and named it Office Users. i set all their restrictions and enforced the policy for that group.
staying in group policy editor, i made another GPO and named it Administration and i just left it alone, didnt change any options.
i make a test user, john, and by habit, i put him in the normal AD users folder. i take him from the users folder and move him to the Office Users folder, i get a pop up that states something along the lines of....if can damage the account if moved from the users folder....i am sure you guys know the pop up i am talking about.
once i move john over to the Office Users OU, i log in on my workstation that is already connected to the domain, and all of the restrictions are in effect. i was not surprised, this is what the GPO is for. i logged my user out, moved him from the Office Users OU to the Administration OU and when i logged back in as john on the desktop workstation, the restrictions were gone and he had access to everything.
so, everything i did seemed to work just fine.
here is my question...
is there a better way to do what i am doing?
my only problem is that if i want to change a setting for that user, i would have to move them from one OU to the other.