Solved

ACtive directory and OUs

Posted on 2014-10-16
6
71 Views
Last Modified: 2014-10-21
I have an Organizational Unit called “users” and  a user, “Kevin” is a member of that OU. If I  apply a group policy, “force password change” (name of it for example)  to that OU than that group policy gets applied to my user every time he logs into his workstation.  Which is great… that’s what I want.

But if I make another OU and call it “outlook” and in it I make a security group and lets say I call them “outlookrestrictions” and I make Kevin a member of that group, how come this OU does not get applied? (see attached)
Capture.JPG
0
Comment
Question by:MrMay
6 Comments
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 40384442
I don´t remember GPO affects group members, only users.

Could do an RSOP of kevin and confirm?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 40384448
Group policies don't apply to groups only to users and computers.  You can use groups to limit who the GPO is applied to within the OU (called security filtering)   http://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40384449
Security groups are a different type of object. Group policies *only* apply to two types of objects. Users and computers. You can *filter* which users and computers process group policies by using the security filtering mechanism. But the engine that processes group policies will not enumerate security groups in an OU. There are a lot of reasons for this, namely around the complications it'd add to precedence predictability and performance reasons, but since security group filters allow the same basic effect without those issues, I wouldn't expect this behavior to change any time soon.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:MrMay
ID: 40384459
i have tried RSOP.. and that specific group policy is not being applied.  so there is no way of making the group policy apply to that group that Kevin is a member of?
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40384480
Hi MrMay,

I don't know about the entire OU but you can do it for the security group:

Go to your group policy in gpmc, select the last tab (I guess it's delegation in English), add your outlookrestrictions security group in there, then select it and click on the advanced button to the bottom right. In there select the security group then check the deny box for the "apply group strategy" setting. If you do that your GPO won't apply to this security group.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40384483
Not by only having the group in an OU and applying it to that OU, no. You can apply it to any upstream OU that Kevin is nested in and then add a security filter using that group so *only* members of that group will actually process the OU. That process works just fine.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now