Solved

Assign Group Policy to a Group

Posted on 2011-09-21
20
249 Views
Last Modified: 2012-05-12
So I am running a script on certain computers in the agency and I don't want to move all of them from the Users Folder to a different OU (Test_Deploy) with a modified GPO (basically the OnLogon portion).

So instead of moving all of the users from the Users folder to the TestGPO OU I tried to create a group called TempDeploy.  I added the users I wanted to the TempDeploy group and then added the TempDeploy group to TestGPO.  However, the script did not run.  

The script only ran if I took the Users from the User Folder and added them to the OU TestGPO.  

Is there a way I can apply a GPO to a group within an OU?

Thanks,
JOe K.
0
Comment
Question by:ClaudeWalker
  • 7
  • 7
  • 3
  • +1
20 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576091
Are you talking about the the deafult Users container or do you have an OU for users.  The problem with the users container is that you can't link a GPO to a container.

You can link a GPO to an OU (right click on the OU in GPMC and link the GPO).  

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576128
if all these users are member of a container assign the policy to that container,and then filter the policy only for the perticular group thats how the policy will run only for the group and not for others.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576135
You can't link a policy to a container.
0
 

Author Comment

by:ClaudeWalker
ID: 36576558
Is a group a container?

In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

 Groups
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 500 total points
ID: 36576564
If your AD structure is as unorganised as it sounds....

Link the policy to the domain root and then remove Authenticated users and add Just the Group in the security filtering. That way it wont matter where your users are in terms of OU's

This is using JUST the USERS section of the policy yes?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576576
Oh i see!
No that wont work

Follow what I said above and it will. You add TestGroup as the group named in the policy filtering section.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576581
In the picture the script will run on Becky, Steve and Rebecca but not the members of TestGroup.

Exactly correct that is how group policy works.  Although it is called  "group policy' the policies only apply to users and/or computers...not groups.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576588
Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 36576593
Tip:

Never use the USERS or the COMPUTERS folder to store live objects that you create yourself.

Create OU's to hold these objects in as you can NOT link a GPO to USERS or COMPUTERS. They are Containers and NOT OU's
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576617
"Neilsr...it still won't work if he filters on testgroup because a GPO can't apply to a group. "

HELLO?

Did you read what I said?

1) LINK the policy to the domain root.
2) Remove Authenticated users from policy filter
3) Add THE GROUP to the policy filter

That WILL work
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576632
ok if he links to the domain root,  I generally don't like having every GPO linked at the root.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576648
In HIS instance he has no choice IF users are in the USERS container.  Please READ before you critisize other experts answers. The answer i gave fits exactly what was asked.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36576662
Sorry mkline71, that sounded abrupt, was not meant to be.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576692
No big deal I like the passion :)
0
 

Author Comment

by:ClaudeWalker
ID: 36576767
It sounds like 2 things:

1) I need to organize all users I created into OU's.  Should I do the same with the computers as well?

2)  Even if a group is in an OU (and corresponding GPO to that OU) the group itself will not be effected by the Group Policy.

3) I like the passion as well :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36576789
1)  you can do that or link the GPO at the domain level and sue security filtering.  I personally like splitting them out into OUs

2.  correct the group itself or members of the group in the OU will not have a GPO applied to them.

Thanks

Mike
0
 

Expert Comment

by:pravin3000a
ID: 36576936
ou/site/domains are containers.you can assign policy to them,once you edit the policy you can see in bottom of right half ,that is filtering use that for assigning to perrticular mebers only,here you can selet the group as well,that is how you can assign policy to any group.
0
 

Expert Comment

by:pravin3000a
ID: 36576940
in your case you can set it on your domain but make sure you filter it.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 500 total points
ID: 36577152
Cab i suguest you have a good read of this -> http://technet.microsoft.com/en-us/library/cc754948(WS.10).aspx

When you think you understand it, read it again :)
0
 

Author Closing Comment

by:ClaudeWalker
ID: 36904327
Sorry about the delayed response/award.

Thanks guys.  I ended up assigning a deployment GPO in lieu of a total restructing (...yet).

I have a much better understanding of AD/GP so thanks,
JOe K.
0

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now