Security Group Not Taking GPO

Experts,

It's me again. Another issue, which should be quite simple...
In my domain I created an OU with one Security Group in it. In this Security Group I have a bunch of members. I slapped a User Config'd GPO to this OU and linked it. Running the simulator on the OU, I see it applying the Default Domain Policy and the GPO, which is great, but RSOP on the client doesn't reflect the GPO settings.

Domain
-OU [GPO]
--Group
---Members

Open in new window

Now, the members in this Security Group are also members of Domain Users, Everyone, Users, and probably Authorized Users. Could this be the problem?
Michael LPr. SysadminAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
Yes, only users in that particular OU \ underneath sub OUs will get affected

Ex:
If OU contains 100 users and you wanted to apply policy on 50 users, then you should create security group, add those 50 users as member, remove authenticated users from security filtering and add that security group
If you not done in this way, policy will apply to all users in that particular OU because every user that is authenticated by active directory is authenticated user

If you apply this policy to domain level, then entire domain users will get affected

Mahesh
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
It sounds like you have the GPO linked to the OU containing the Group. Are the users also in this OU? A GPO has to be linked to the object that is receiving it (users or computers).
0
 
Michael LPr. SysadminAuthor Commented:
Users are in the Group, so shouldn't they be in the OU, if the Group is? A GPO is linked to the OU.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Joseph MoodyBlogger and wearer of all hats.Commented:
The GPO must be linked to the OU that the users are a member of.
0
 
Michael LPr. SysadminAuthor Commented:
It is linked to the OU the Group is a member of. Do I need to put the users in the OU instead of the Group?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You need to link the GPO to the OU that the users are a member of.
0
 
Michael LPr. SysadminAuthor Commented:
Is it the same as if the users are a member of a group that is in the OU with the GPO linked to it.
0
 
Raj-GTSystems EngineerCommented:
No it is not. You can only apply GPOs to users and computer objects. You can of course scope the objects using Security Groups but the GPO themselves need to be applied to an OU containing said objects.

Domain
-OU [GPO with apply to Group]
--Members
0
 
Michael LPr. SysadminAuthor Commented:
Ohhhh... ok, I'll be back :P
0
 
Michael LPr. SysadminAuthor Commented:
Ok, I have my members in the OU with the GPO linked to it. Problem is now, the GPO is being denied.
0
 
MaheshArchitectCommented:
No matter, you could use security filtering of GPO to grant access to security group and may be all users are member of that group
if you don't want to use security group, then authenticated users must be there in security filtering

But same time users must be reside in the OU \ sub OUs some where in the same OU as GPO is applied.
This is basic prerequisites for any GPO

Mahesh
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Can you post a screenshot of the scope tab of your GPO?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You can see the scope tab under Item 3 on this page:

http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 
Michael LPr. SysadminAuthor Commented:
Ok, GPO is being applied to the OU now (per RSOP on the OU), but RSOP on my users don't show it being applied.
0
 
MaheshArchitectCommented:
You may be having orphaned GPO issue, please delete orphaned GPOs if any and check if GPO is getting applied

You need to find orphaned GPOs in entire domain with below PowerShell script (Script can be run from 2008 R2 domain controllers only)
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
concept of Orphaned GPOs:
1.If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.
2.If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.

before running PowerShell script, you must set PowerShell execution policy to unrestricted
by running below command in elevated PowerShell
Set-ExecutionPolicy Unrestricted
The command will ask you confirmation, there you need to select Y and hit enter
Then Also you need to import active directory PowerShell module 1st before running script by running below command
Import-Module ActiveDirectory

You must be having administrative rights on Group policy objects in domain
Domain admins membership will be just fine

Mahesh
0
 
Michael LPr. SysadminAuthor Commented:
I don't think GPOs were even being used before I took over, but I'l run this anyway, just to be sure. Thanks!
0
 
Michael LPr. SysadminAuthor Commented:
Ok, Server 2008 (non-R2) doesn't have Powershell? I made one change, though. I made the Security Group a member of Users/builtin. Checked the Scope, clicked Advance, made sure Security Group had Read and Apply GPOs checked, did an RSOP on client, and success! Does it make sense for that to have done the trick?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
That sounds like the GPO itself wasn't scoped correctly. Under the scope tab, what groups are listed under Security Filtering?
0
 
Michael LPr. SysadminAuthor Commented:
Authenticated Users and the Security Group I had added.
0
 
MaheshArchitectCommented:
You don't need to add security group if authenticated users are added

Then it will apply to all users in that OU

If this is not your requirement  and you just wanted to apply GPO to particular users only in same OU, then you need to remove authenticated users from security filtering and need to add security group so that policy will apply to only security group members and not apply to all users in the OU

That make sense

Mahesh
0
 
Michael LPr. SysadminAuthor Commented:
Ok, So then Authenticated Users was sufficient. I guess I was worried that the GPO would apply to all Auth Users, but if it's only linked to the OU select members are in, only they will be affected.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.