Solved

ACtive directory and OUs

Posted on 2014-10-16
6
72 Views
Last Modified: 2014-10-21
I have an Organizational Unit called “users” and  a user, “Kevin” is a member of that OU. If I  apply a group policy, “force password change” (name of it for example)  to that OU than that group policy gets applied to my user every time he logs into his workstation.  Which is great… that’s what I want.

But if I make another OU and call it “outlook” and in it I make a security group and lets say I call them “outlookrestrictions” and I make Kevin a member of that group, how come this OU does not get applied? (see attached)
Capture.JPG
0
Comment
Question by:MrMay
6 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40384442
I don´t remember GPO affects group members, only users.

Could do an RSOP of kevin and confirm?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 40384448
Group policies don't apply to groups only to users and computers.  You can use groups to limit who the GPO is applied to within the OU (called security filtering)   http://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40384449
Security groups are a different type of object. Group policies *only* apply to two types of objects. Users and computers. You can *filter* which users and computers process group policies by using the security filtering mechanism. But the engine that processes group policies will not enumerate security groups in an OU. There are a lot of reasons for this, namely around the complications it'd add to precedence predictability and performance reasons, but since security group filters allow the same basic effect without those issues, I wouldn't expect this behavior to change any time soon.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:MrMay
ID: 40384459
i have tried RSOP.. and that specific group policy is not being applied.  so there is no way of making the group policy apply to that group that Kevin is a member of?
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40384480
Hi MrMay,

I don't know about the entire OU but you can do it for the security group:

Go to your group policy in gpmc, select the last tab (I guess it's delegation in English), add your outlookrestrictions security group in there, then select it and click on the advanced button to the bottom right. In there select the security group then check the deny box for the "apply group strategy" setting. If you do that your GPO won't apply to this security group.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40384483
Not by only having the group in an OU and applying it to that OU, no. You can apply it to any upstream OU that Kevin is nested in and then add a security filter using that group so *only* members of that group will actually process the OU. That process works just fine.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2008 R2 File Share 8 34
Dell PowerEdge T610 PERC 6i Drivers... 6 32
Configuring DAG with different CU level ? 6 13
ADFS Setup 4 19
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question