Security Group Not Taking GPO
Experts,
It's me again. Another issue, which should be quite simple...
In my domain I created an OU with one Security Group in it. In this Security Group I have a bunch of members. I slapped a User Config'd GPO to this OU and linked it. Running the simulator on the OU, I see it applying the Default Domain Policy and the GPO, which is great, but RSOP on the client doesn't reflect the GPO settings.
It's me again. Another issue, which should be quite simple...
In my domain I created an OU with one Security Group in it. In this Security Group I have a bunch of members. I slapped a User Config'd GPO to this OU and linked it. Running the simulator on the OU, I see it applying the Default Domain Policy and the GPO, which is great, but RSOP on the client doesn't reflect the GPO settings.
Domain
-OU [GPO]
--Group
---Members
Joseph Moody
It sounds like you have the GPO linked to the OU containing the Group. Are the users also in this OU? A GPO has to be linked to the object that is receiving it (users or computers).
ASKER
Users are in the Group, so shouldn't they be in the OU, if the Group is? A GPO is linked to the OU.
The GPO must be linked to the OU that the users are a member of.
ASKER
It is linked to the OU the Group is a member of. Do I need to put the users in the OU instead of the Group?
You need to link the GPO to the OU that the users are a member of.
ASKER
Is it the same as if the users are a member of a group that is in the OU with the GPO linked to it.
No it is not. You can only apply GPOs to users and computer objects. You can of course scope the objects using Security Groups but the GPO themselves need to be applied to an OU containing said objects.
Domain
-OU [GPO with apply to Group]
--Members
Domain
-OU [GPO with apply to Group]
--Members
ASKER
Ohhhh... ok, I'll be back :P
ASKER
Ok, I have my members in the OU with the GPO linked to it. Problem is now, the GPO is being denied.
No matter, you could use security filtering of GPO to grant access to security group and may be all users are member of that group
if you don't want to use security group, then authenticated users must be there in security filtering
But same time users must be reside in the OU \ sub OUs some where in the same OU as GPO is applied.
This is basic prerequisites for any GPO
Mahesh
if you don't want to use security group, then authenticated users must be there in security filtering
But same time users must be reside in the OU \ sub OUs some where in the same OU as GPO is applied.
This is basic prerequisites for any GPO
Mahesh
Can you post a screenshot of the scope tab of your GPO?
You can see the scope tab under Item 3 on this page:
http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
ASKER
Ok, GPO is being applied to the OU now (per RSOP on the OU), but RSOP on my users don't show it being applied.
You may be having orphaned GPO issue, please delete orphaned GPOs if any and check if GPO is getting applied
You need to find orphaned GPOs in entire domain with below PowerShell script (Script can be run from 2008 R2 domain controllers only)
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
concept of Orphaned GPOs:
1.If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.
2.If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.
before running PowerShell script, you must set PowerShell execution policy to unrestricted
by running below command in elevated PowerShell
Set-ExecutionPolicy Unrestricted
The command will ask you confirmation, there you need to select Y and hit enter
Then Also you need to import active directory PowerShell module 1st before running script by running below command
Import-Module ActiveDirectory
You must be having administrative rights on Group policy objects in domain
Domain admins membership will be just fine
Mahesh
You need to find orphaned GPOs in entire domain with below PowerShell script (Script can be run from 2008 R2 domain controllers only)
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
concept of Orphaned GPOs:
1.If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.
2.If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.
before running PowerShell script, you must set PowerShell execution policy to unrestricted
by running below command in elevated PowerShell
Set-ExecutionPolicy Unrestricted
The command will ask you confirmation, there you need to select Y and hit enter
Then Also you need to import active directory PowerShell module 1st before running script by running below command
Import-Module ActiveDirectory
You must be having administrative rights on Group policy objects in domain
Domain admins membership will be just fine
Mahesh
ASKER
I don't think GPOs were even being used before I took over, but I'l run this anyway, just to be sure. Thanks!
ASKER
Ok, Server 2008 (non-R2) doesn't have Powershell? I made one change, though. I made the Security Group a member of Users/builtin. Checked the Scope, clicked Advance, made sure Security Group had Read and Apply GPOs checked, did an RSOP on client, and success! Does it make sense for that to have done the trick?
That sounds like the GPO itself wasn't scoped correctly. Under the scope tab, what groups are listed under Security Filtering?
ASKER
Authenticated Users and the Security Group I had added.
You don't need to add security group if authenticated users are added
Then it will apply to all users in that OU
If this is not your requirement and you just wanted to apply GPO to particular users only in same OU, then you need to remove authenticated users from security filtering and need to add security group so that policy will apply to only security group members and not apply to all users in the OU
That make sense
Mahesh
Then it will apply to all users in that OU
If this is not your requirement and you just wanted to apply GPO to particular users only in same OU, then you need to remove authenticated users from security filtering and need to add security group so that policy will apply to only security group members and not apply to all users in the OU
That make sense
Mahesh
ASKER
Ok, So then Authenticated Users was sufficient. I guess I was worried that the GPO would apply to all Auth Users, but if it's only linked to the OU select members are in, only they will be affected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.