Solved

ACtive directory and OUs

Posted on 2014-10-16
6
67 Views
Last Modified: 2014-10-21
I have an Organizational Unit called “users” and  a user, “Kevin” is a member of that OU. If I  apply a group policy, “force password change” (name of it for example)  to that OU than that group policy gets applied to my user every time he logs into his workstation.  Which is great… that’s what I want.

But if I make another OU and call it “outlook” and in it I make a security group and lets say I call them “outlookrestrictions” and I make Kevin a member of that group, how come this OU does not get applied? (see attached)
Capture.JPG
0
Comment
Question by:MrMay
6 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40384442
I don´t remember GPO affects group members, only users.

Could do an RSOP of kevin and confirm?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 40384448
Group policies don't apply to groups only to users and computers.  You can use groups to limit who the GPO is applied to within the OU (called security filtering)   http://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

Thanks

Mike
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40384449
Security groups are a different type of object. Group policies *only* apply to two types of objects. Users and computers. You can *filter* which users and computers process group policies by using the security filtering mechanism. But the engine that processes group policies will not enumerate security groups in an OU. There are a lot of reasons for this, namely around the complications it'd add to precedence predictability and performance reasons, but since security group filters allow the same basic effect without those issues, I wouldn't expect this behavior to change any time soon.
0
 

Author Comment

by:MrMay
ID: 40384459
i have tried RSOP.. and that specific group policy is not being applied.  so there is no way of making the group policy apply to that group that Kevin is a member of?
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40384480
Hi MrMay,

I don't know about the entire OU but you can do it for the security group:

Go to your group policy in gpmc, select the last tab (I guess it's delegation in English), add your outlookrestrictions security group in there, then select it and click on the advanced button to the bottom right. In there select the security group then check the deny box for the "apply group strategy" setting. If you do that your GPO won't apply to this security group.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40384483
Not by only having the group in an OU and applying it to that OU, no. You can apply it to any upstream OU that Kevin is nested in and then add a security filter using that group so *only* members of that group will actually process the OU. That process works just fine.
0

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now