?
Solved

Assign Group Policy to a Group

Posted on 2011-09-21
20
Medium Priority
?
307 Views
Last Modified: 2012-05-12
So I am running a script on certain computers in the agency and I don't want to move all of them from the Users Folder to a different OU (Test_Deploy) with a modified GPO (basically the OnLogon portion).

So instead of moving all of the users from the Users folder to the TestGPO OU I tried to create a group called TempDeploy.  I added the users I wanted to the TempDeploy group and then added the TempDeploy group to TestGPO.  However, the script did not run.  

The script only ran if I took the Users from the User Folder and added them to the OU TestGPO.  

Is there a way I can apply a GPO to a group within an OU?

Thanks,
JOe K.
0
Comment
Question by:ClaudeWalker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 3
  • +1
20 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576091
Are you talking about the the deafult Users container or do you have an OU for users.  The problem with the users container is that you can't link a GPO to a container.

You can link a GPO to an OU (right click on the OU in GPMC and link the GPO).  

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576128
if all these users are member of a container assign the policy to that container,and then filter the policy only for the perticular group thats how the policy will run only for the group and not for others.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576135
You can't link a policy to a container.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:ClaudeWalker
ID: 36576558
Is a group a container?

In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

 Groups
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 2000 total points
ID: 36576564
If your AD structure is as unorganised as it sounds....

Link the policy to the domain root and then remove Authenticated users and add Just the Group in the security filtering. That way it wont matter where your users are in terms of OU's

This is using JUST the USERS section of the policy yes?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576576
Oh i see!
No that wont work

Follow what I said above and it will. You add TestGroup as the group named in the policy filtering section.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576581
In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

Exactly correct that is how group policy works.  Although it is called  "group policy' the policies only apply to users and/or computers...not groups.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576588
Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 2000 total points
ID: 36576593
Tip:

Never use the USERS or the COMPUTERS folder to store live objects that you create yourself.

Create OU's to hold these objects in as you can NOT link a GPO to USERS or COMPUTERS. They are Containers and NOT OU's
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576617
"Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group. "

HELLO?

Did you read what I said?

1) LINK the policy to the domain root.
2) Remove Authenticated users from policy filter
3) Add THE GROUP to the policy filter

That WILL work
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576632
ok if he links to the domain root,  I generally don't like having every GPO linked at the root.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576648
In HIS instance he has no choice IF users are in the USERS container.  Please READ before you critisize other experts answers. The answer i gave fits exactly what was asked.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576662
Sorry mkline71, that sounded abrupt, was not meant to be.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576692
No big deal I like the passion :)
0
 

Author Comment

by:ClaudeWalker
ID: 36576767
It sounds like 2 things:

1) I need to organize all users I created into OU's.  Should I do the same with the computers as well?

2)  Even if a group is in an OU (and corresponding GPO to that OU) the group itself will not be effected by the Group Policy.

3) I like the passion as well :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576789
1)  you can do that or link the GPO at the domain level and sue security filtering.  I personally like splitting them out into OUs

2.  correct the group itself or members of the group in the OU will not have a GPO applied to them.

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576936
ou/site/domains are containers.you can assign policy to them,once you edit the policy you can see in bottom of right half ,that is filtering use that for assigning to perrticular mebers only,here you can selet the group as well,that is how you can assign policy to any group.
0
 

Expert Comment

by:pravin3000a
ID: 36576940
in your case you can set it on your domain but make sure you filter it.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 2000 total points
ID: 36577152
Cab i suguest you have a good read of this -> http://technet.microsoft.com/en-us/library/cc754948(WS.10).aspx

When you think you understand it, read it again :)
0
 

Author Closing Comment

by:ClaudeWalker
ID: 36904327
Sorry about the delayed response/award.

Thanks guys.  I ended up assigning a deployment GPO in lieu of a total restructing (...yet).

I have a much better understanding of AD/GP so thanks,
JOe K.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month12 days, 23 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question