?
Solved

Assign Group Policy to a Group

Posted on 2011-09-21
20
Medium Priority
?
328 Views
Last Modified: 2012-05-12
So I am running a script on certain computers in the agency and I don't want to move all of them from the Users Folder to a different OU (Test_Deploy) with a modified GPO (basically the OnLogon portion).

So instead of moving all of the users from the Users folder to the TestGPO OU I tried to create a group called TempDeploy.  I added the users I wanted to the TempDeploy group and then added the TempDeploy group to TestGPO.  However, the script did not run.  

The script only ran if I took the Users from the User Folder and added them to the OU TestGPO.  

Is there a way I can apply a GPO to a group within an OU?

Thanks,
JOe K.
0
Comment
Question by:ClaudeWalker
  • 7
  • 7
  • 3
  • +1
20 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576091
Are you talking about the the deafult Users container or do you have an OU for users.  The problem with the users container is that you can't link a GPO to a container.

You can link a GPO to an OU (right click on the OU in GPMC and link the GPO).  

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576128
if all these users are member of a container assign the policy to that container,and then filter the policy only for the perticular group thats how the policy will run only for the group and not for others.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576135
You can't link a policy to a container.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:ClaudeWalker
ID: 36576558
Is a group a container?

In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

 Groups
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 2000 total points
ID: 36576564
If your AD structure is as unorganised as it sounds....

Link the policy to the domain root and then remove Authenticated users and add Just the Group in the security filtering. That way it wont matter where your users are in terms of OU's

This is using JUST the USERS section of the policy yes?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576576
Oh i see!
No that wont work

Follow what I said above and it will. You add TestGroup as the group named in the policy filtering section.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576581
In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

Exactly correct that is how group policy works.  Although it is called  "group policy' the policies only apply to users and/or computers...not groups.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576588
Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 2000 total points
ID: 36576593
Tip:

Never use the USERS or the COMPUTERS folder to store live objects that you create yourself.

Create OU's to hold these objects in as you can NOT link a GPO to USERS or COMPUTERS. They are Containers and NOT OU's
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576617
"Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group. "

HELLO?

Did you read what I said?

1) LINK the policy to the domain root.
2) Remove Authenticated users from policy filter
3) Add THE GROUP to the policy filter

That WILL work
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576632
ok if he links to the domain root,  I generally don't like having every GPO linked at the root.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576648
In HIS instance he has no choice IF users are in the USERS container.  Please READ before you critisize other experts answers. The answer i gave fits exactly what was asked.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576662
Sorry mkline71, that sounded abrupt, was not meant to be.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576692
No big deal I like the passion :)
0
 

Author Comment

by:ClaudeWalker
ID: 36576767
It sounds like 2 things:

1) I need to organize all users I created into OU's.  Should I do the same with the computers as well?

2)  Even if a group is in an OU (and corresponding GPO to that OU) the group itself will not be effected by the Group Policy.

3) I like the passion as well :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576789
1)  you can do that or link the GPO at the domain level and sue security filtering.  I personally like splitting them out into OUs

2.  correct the group itself or members of the group in the OU will not have a GPO applied to them.

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576936
ou/site/domains are containers.you can assign policy to them,once you edit the policy you can see in bottom of right half ,that is filtering use that for assigning to perrticular mebers only,here you can selet the group as well,that is how you can assign policy to any group.
0
 

Expert Comment

by:pravin3000a
ID: 36576940
in your case you can set it on your domain but make sure you filter it.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 2000 total points
ID: 36577152
Cab i suguest you have a good read of this -> http://technet.microsoft.com/en-us/library/cc754948(WS.10).aspx

When you think you understand it, read it again :)
0
 

Author Closing Comment

by:ClaudeWalker
ID: 36904327
Sorry about the delayed response/award.

Thanks guys.  I ended up assigning a deployment GPO in lieu of a total restructing (...yet).

I have a much better understanding of AD/GP so thanks,
JOe K.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question