Solved

Assign Group Policy to a Group

Posted on 2011-09-21
20
258 Views
Last Modified: 2012-05-12
So I am running a script on certain computers in the agency and I don't want to move all of them from the Users Folder to a different OU (Test_Deploy) with a modified GPO (basically the OnLogon portion).

So instead of moving all of the users from the Users folder to the TestGPO OU I tried to create a group called TempDeploy.  I added the users I wanted to the TempDeploy group and then added the TempDeploy group to TestGPO.  However, the script did not run.  

The script only ran if I took the Users from the User Folder and added them to the OU TestGPO.  

Is there a way I can apply a GPO to a group within an OU?

Thanks,
JOe K.
0
Comment
Question by:ClaudeWalker
  • 7
  • 7
  • 3
  • +1
20 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576091
Are you talking about the the deafult Users container or do you have an OU for users.  The problem with the users container is that you can't link a GPO to a container.

You can link a GPO to an OU (right click on the OU in GPMC and link the GPO).  

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576128
if all these users are member of a container assign the policy to that container,and then filter the policy only for the perticular group thats how the policy will run only for the group and not for others.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576135
You can't link a policy to a container.
0
 

Author Comment

by:ClaudeWalker
ID: 36576558
Is a group a container?

In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

 Groups
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 36576564
If your AD structure is as unorganised as it sounds....

Link the policy to the domain root and then remove Authenticated users and add Just the Group in the security filtering. That way it wont matter where your users are in terms of OU's

This is using JUST the USERS section of the policy yes?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576576
Oh i see!
No that wont work

Follow what I said above and it will. You add TestGroup as the group named in the policy filtering section.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576581
In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

Exactly correct that is how group policy works.  Although it is called  "group policy' the policies only apply to users and/or computers...not groups.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576588
Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 36576593
Tip:

Never use the USERS or the COMPUTERS folder to store live objects that you create yourself.

Create OU's to hold these objects in as you can NOT link a GPO to USERS or COMPUTERS. They are Containers and NOT OU's
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576617
"Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group. "

HELLO?

Did you read what I said?

1) LINK the policy to the domain root.
2) Remove Authenticated users from policy filter
3) Add THE GROUP to the policy filter

That WILL work
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576632
ok if he links to the domain root,  I generally don't like having every GPO linked at the root.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576648
In HIS instance he has no choice IF users are in the USERS container.  Please READ before you critisize other experts answers. The answer i gave fits exactly what was asked.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576662
Sorry mkline71, that sounded abrupt, was not meant to be.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576692
No big deal I like the passion :)
0
 

Author Comment

by:ClaudeWalker
ID: 36576767
It sounds like 2 things:

1) I need to organize all users I created into OU's.  Should I do the same with the computers as well?

2)  Even if a group is in an OU (and corresponding GPO to that OU) the group itself will not be effected by the Group Policy.

3) I like the passion as well :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576789
1)  you can do that or link the GPO at the domain level and sue security filtering.  I personally like splitting them out into OUs

2.  correct the group itself or members of the group in the OU will not have a GPO applied to them.

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576936
ou/site/domains are containers.you can assign policy to them,once you edit the policy you can see in bottom of right half ,that is filtering use that for assigning to perrticular mebers only,here you can selet the group as well,that is how you can assign policy to any group.
0
 

Expert Comment

by:pravin3000a
ID: 36576940
in your case you can set it on your domain but make sure you filter it.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 36577152
Cab i suguest you have a good read of this -> http://technet.microsoft.com/en-us/library/cc754948(WS.10).aspx

When you think you understand it, read it again :)
0
 

Author Closing Comment

by:ClaudeWalker
ID: 36904327
Sorry about the delayed response/award.

Thanks guys.  I ended up assigning a deployment GPO in lieu of a total restructing (...yet).

I have a much better understanding of AD/GP so thanks,
JOe K.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SLMGR Switches Are Not Working On KMS Host 3 63
Removing Group Policy from user machines 3 29
Federation ID format? 3 31
self service AD unlock account from Azure portal 2 33
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now