TowsonStaff
asked on
Child OU Users Group
I would like to ask a follow up question about group policy. I got a book on it, but I'm still trying to work out one thing.
On our domain, we have two folders that contain all the users. One is "Students" the other is "Staff."
I have a child-ou that controls a computer lab on campus. The child OU Looks like
VB100
----Computers
----Users
I have populated the computers container with all the computers in the lab, but I would like to apply user specific group policies as well.
My users folder is empty.
My question: Is there any way to populate the users folder of the Child OU with the contents of the enterprise level user folders that has every person's account in it.
If not, it seems we will be limited to computer polices only.
On our domain, we have two folders that contain all the users. One is "Students" the other is "Staff."
I have a child-ou that controls a computer lab on campus. The child OU Looks like
VB100
----Computers
----Users
I have populated the computers container with all the computers in the lab, but I would like to apply user specific group policies as well.
My users folder is empty.
My question: Is there any way to populate the users folder of the Child OU with the contents of the enterprise level user folders that has every person's account in it.
If not, it seems we will be limited to computer polices only.
MaximumIQ
You can apply the policy anywhere you like and choose who it will affect within that container by limiting the scope in the policy's Scope tab. There you can simply place a normal AD group that includes your targeted users.
Is there any way to populate the users folder of the Child OU with the contents of the enterprise level user folders that has every person's account in it.
No, you would have to move the users to that OU if you want the users there. Users can only be in one location in the directory structure.
Thanks
Mike
No, you would have to move the users to that OU if you want the users there. Users can only be in one location in the directory structure.
Thanks
Mike
It sounds like what you want is Group Policy loopback processing.
This causes policy to apply to a user based on the location of the computer object alone. It is very useful for cases such as this where users aren't in the same OU ass the computers - lab or student machines, public/kiosk machines, Terminal Servers, etc. are typical candidates.
Loopback Processing is enabled in the Computer section of group policy; navigate to Administrative Templates / Group Policy, and there you will find an item named "User Group Policy loopback processing mode".
When you enable it, there's 2 settings: merge and replace. "Merge" means that user settings defined at the Computer location are applied on top of (and take precedence over in case of conflict) the user settings defined at the User location like normally is the case. "Replace" means that only user settings defined at the Computer location are applied.
This Microsoft article explains it fairly well: http://support.microsoft.com/kb/231287
Also the built-in explanations in Group Policy editor tend to be pretty decent.
This causes policy to apply to a user based on the location of the computer object alone. It is very useful for cases such as this where users aren't in the same OU ass the computers - lab or student machines, public/kiosk machines, Terminal Servers, etc. are typical candidates.
Loopback Processing is enabled in the Computer section of group policy; navigate to Administrative Templates / Group Policy, and there you will find an item named "User Group Policy loopback processing mode".
When you enable it, there's 2 settings: merge and replace. "Merge" means that user settings defined at the Computer location are applied on top of (and take precedence over in case of conflict) the user settings defined at the User location like normally is the case. "Replace" means that only user settings defined at the Computer location are applied.
This Microsoft article explains it fairly well: http://support.microsoft.com/kb/231287
Also the built-in explanations in Group Policy editor tend to be pretty decent.
Darren also has a great blog on loopback http://sdmsoftware.com/blog/2009/01/06/please-explain-loopback-processing/
...be careful though. Loopback is generally used for kiosk/terminal server boxes, not on normal user machines.
Thanks
Mike
...be careful though. Loopback is generally used for kiosk/terminal server boxes, not on normal user machines.
Thanks
Mike
ASKER
Yes, loop back sounds exactly like what I need. I will def check it out tomorrow but I think it's what I need.
Now should I put the GP in the Lab OU or the computer OU?
Now should I put the GP in the Lab OU or the computer OU?
Or just link the user GPOs to where your users currently are.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I believe I answered the question by suggesting loopback processing in post #35445511.
-Anton
-Anton