Solved

Confused by OU & GPO

Posted on 2015-02-02
6
80 Views
Last Modified: 2015-02-07
I have an OU containing the users and an OU for the computers.

I wish to test on a particular computer so I have created a testing OU containing the test computer.

I have created a GPO that contains both computer (data sources) & user settings (drive mappings). This GPO I have linked to my users OU and my computers OU.

I wish to create a trial GPO with both computer and user settings. I would imagine that I would link this trail GPO to my users OU and my testing OU.

This means that in summary:
Both GPOs will be linked to my users OU
Main GPO will be linked to my computers OU
Trail GPO will be linked to my testing GPO

As both Main & Trail GPO are linked to my users OU how will windows ensure that when user X logs in on a production (non testing pc) on ly the main GPO is applied?

I am worried my testing GPO will be applied to all users are it is linked to the same users OU as my main GPO.
0
Comment
Question by:Ethan Darwin
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585388
Hi Ethan,
You can put the computers in the test OU under a AD security group and apply this as a security filter for trail GPO.

Or,

you can keep it simple like below,

Create a GPO "GPO 1" for users with "computer configuration settings" disabled (from details tab), and
Create a GPO "GPO 2" for computers with "user configuration settings" disabled.

then link both GPOs to users OU and link GPO 2 to Test OU. Hope this helps.
0
 

Author Comment

by:Ethan Darwin
ID: 40585392
hi Rezwan and thanks for the help.

My main GPO sets up data sources and maps drives to server1
My test GPO sets up data sources and maps drives to server2

Accordingly I need both the computer and user sections of both my GPOs active.
0
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585418
Hi Ethan,
Data Sources are computer based and both ODBC settings can be on one GPO and applied to computers only via security filter. While server drives mapping can be done via single GPO (user configuration preference) and applied to users.

You will still need two GPO but you can separate them according to their functions and even linking them to both OU wouldn't hurt, that's what I am trying to say. Thanks
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Ethan Darwin
ID: 40585528
Hi Rezwan, once again thank you for your help.

I may not be communicating my scenario clearly enough or simply failing to understand your solution.

To simplify my question further.

How can I have a user map a drive to location A on computer A and location B on computer B?

(So one OU for the user and two OUs for the two computers.)
0
 
LVL 3

Accepted Solution

by:
Rezwan Islam earned 250 total points
ID: 40585586
Hi Ethan,
Is your OU hierarchy like this?

|-Organization
       |-----Users(OU)
       |------Computers(OU1)
       |------Computers(OU2)

Also, lot depends on how you want to map your server drives. Have you read about item-level targeting for drive mapping? You can achieve that by using this feature. If your domain controllers are all Windows 2008 then you have this available.

Now, I think you only need one GPO to achieve this if you use item-level targeting. And this is how you can configure the GPO.
- link the GPO right under "Organization"
-Configure GPO computer configuration for ODBC settings and User configuration for other settings according to your requirement.
-for mapping drive, edit the GPO, expand User config, then Preference, then Windows settings and select Drive Maps
-right click on the right pane and select new - map drive option and fill up necessary info on the "General" tab. I have attached a sample picture of that tab "ee1-dmap.jpg".
-then click on "common" and select "item-level targeting" and click on "Targeting" button. (picture ee2-dmap.jpg attached)
-select new item, Organization Unit, select "Computers in OU" and then select your computers OU from the browser above (picture ee3-dmap.jpg attached)

and you can create a second drive map for the other server the same way by point the target to the other computer OU.

Hope this helps.
ee1-dmap.JPG
ee2-dmap.JPG
ee3-dmap.JPG
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 250 total points
ID: 40585891
GPO Behavior:
When you apply any GPO (may be computer config and user config in same GPO) to any OU, it will affect all objects in that OU (users and computers) unless you remove authenticated users from security filtering and add your required group of users \ computers
If you click on GPO in GPMC console in right hand, left hand side you will see scope tab, underneath that tab you will find security filtering, GPO will apply to security principles which does exists on security filtering windows.
If authenticated users is there on security filtering, GPO will be applied to all objects in that OU
(I hope you know that user configuration settings will apply to users and computer configuration settings will be applied to computers in that OU)

In case of drive maps, they are user based and no matter on which machine user logs on, drives will be mapped.
Since this is user based setting, it will applied no matter user is logged on which computer
location will not come in picture here

Similarly, if you doing any computer config setting, it will apply to computers regardless of who logged on machine

Group Policy can be linked to:
Site Level, where it will be applied to all subnets in that site
domain level which affect all objects in entire domain
OU level, which affects all objects in entire OU
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now