Solved

ACtive directory and OUs

Posted on 2014-10-16
6
73 Views
Last Modified: 2014-10-21
I have an Organizational Unit called “users” and  a user, “Kevin” is a member of that OU. If I  apply a group policy, “force password change” (name of it for example)  to that OU than that group policy gets applied to my user every time he logs into his workstation.  Which is great… that’s what I want.

But if I make another OU and call it “outlook” and in it I make a security group and lets say I call them “outlookrestrictions” and I make Kevin a member of that group, how come this OU does not get applied? (see attached)
Capture.JPG
0
Comment
Question by:MrMay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40384442
I don´t remember GPO affects group members, only users.

Could do an RSOP of kevin and confirm?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 40384448
Group policies don't apply to groups only to users and computers.  You can use groups to limit who the GPO is applied to within the OU (called security filtering)   http://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

Thanks

Mike
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40384449
Security groups are a different type of object. Group policies *only* apply to two types of objects. Users and computers. You can *filter* which users and computers process group policies by using the security filtering mechanism. But the engine that processes group policies will not enumerate security groups in an OU. There are a lot of reasons for this, namely around the complications it'd add to precedence predictability and performance reasons, but since security group filters allow the same basic effect without those issues, I wouldn't expect this behavior to change any time soon.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:MrMay
ID: 40384459
i have tried RSOP.. and that specific group policy is not being applied.  so there is no way of making the group policy apply to that group that Kevin is a member of?
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40384480
Hi MrMay,

I don't know about the entire OU but you can do it for the security group:

Go to your group policy in gpmc, select the last tab (I guess it's delegation in English), add your outlookrestrictions security group in there, then select it and click on the advanced button to the bottom right. In there select the security group then check the deny box for the "apply group strategy" setting. If you do that your GPO won't apply to this security group.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40384483
Not by only having the group in an OU and applying it to that OU, no. You can apply it to any upstream OU that Kevin is nested in and then add a security filter using that group so *only* members of that group will actually process the OU. That process works just fine.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question