We help IT Professionals succeed at work.

Child OU Users Group

TowsonStaff
TowsonStaff asked
on
Medium Priority
610 Views
Last Modified: 2012-05-11
I would like to ask a follow up question about group policy. I got a book on it, but I'm still trying to work out one thing.

On our domain, we have two folders that contain all the users. One is "Students" the other is "Staff."

I have a child-ou that controls a computer lab on campus. The child OU Looks like

VB100
----Computers
----Users

I have populated the computers container with all the computers in the lab, but I would like to apply user specific group policies as well.

My users folder is empty.

My question: Is there any way to populate the users folder of the Child OU with the contents of the enterprise level user folders that has every person's account in it.

If not, it seems we will be limited to computer polices only.
Comment
Watch Question

You can apply the policy anywhere you like and choose who it will affect within that container by limiting the scope in the policy's Scope tab. There you can simply place a normal AD group that includes your targeted users.
CERTIFIED EXPERT
Top Expert 2013

Commented:
Is there any way to populate the users folder of the Child OU with the contents of the enterprise level user folders that has every person's account in it.

No, you would have to move the users to that OU if you want the users there.  Users can only be in one location in the directory structure.

Thanks

Mike

Commented:
It sounds like what you want is Group Policy loopback processing.

This causes policy to apply to a user based on the location of the computer object alone. It is very useful for cases such as this where users aren't in the same OU ass the computers - lab or student machines, public/kiosk machines, Terminal Servers, etc. are typical candidates.

Loopback Processing is enabled in the Computer section of group policy; navigate to Administrative Templates / Group Policy, and there you will find an item named "User Group Policy loopback processing mode".

When you enable it, there's 2 settings: merge and replace. "Merge" means that user settings defined at the Computer location are applied on top of (and take precedence over in case of conflict) the user settings defined at the User location like normally is the case. "Replace" means that only user settings defined at the Computer location are applied.

This Microsoft article explains it fairly well: http://support.microsoft.com/kb/231287

Also the built-in explanations in Group Policy editor tend to be pretty decent.
CERTIFIED EXPERT
Top Expert 2013

Commented:
Darren also has a great blog on loopback   http://sdmsoftware.com/blog/2009/01/06/please-explain-loopback-processing/

...be careful though.  Loopback is generally used for kiosk/terminal server boxes, not on normal user machines.

Thanks

Mike

Author

Commented:
Yes, loop back sounds exactly like what I need. I will def check it out tomorrow but I think it's what I need.

Now should I put the GP in the Lab OU or the computer OU?

CERTIFIED EXPERT
Top Expert 2013

Commented:
Or just link the user GPOs to where your users currently are.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
I believe I answered the question by suggesting loopback processing in post #35445511.

-Anton
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.