Confused by OU & GPO

I have an OU containing the users and an OU for the computers.

I wish to test on a particular computer so I have created a testing OU containing the test computer.

I have created a GPO that contains both computer (data sources) & user settings (drive mappings). This GPO I have linked to my users OU and my computers OU.

I wish to create a trial GPO with both computer and user settings. I would imagine that I would link this trail GPO to my users OU and my testing OU.

This means that in summary:
Both GPOs will be linked to my users OU
Main GPO will be linked to my computers OU
Trail GPO will be linked to my testing GPO

As both Main & Trail GPO are linked to my users OU how will windows ensure that when user X logs in on a production (non testing pc) on ly the main GPO is applied?

I am worried my testing GPO will be applied to all users are it is linked to the same users OU as my main GPO.
Ethan DarwinAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Rezwan IslamConnect With a Mentor Systems AdministratorCommented:
Hi Ethan,
Is your OU hierarchy like this?

|-Organization
       |-----Users(OU)
       |------Computers(OU1)
       |------Computers(OU2)

Also, lot depends on how you want to map your server drives. Have you read about item-level targeting for drive mapping? You can achieve that by using this feature. If your domain controllers are all Windows 2008 then you have this available.

Now, I think you only need one GPO to achieve this if you use item-level targeting. And this is how you can configure the GPO.
- link the GPO right under "Organization"
-Configure GPO computer configuration for ODBC settings and User configuration for other settings according to your requirement.
-for mapping drive, edit the GPO, expand User config, then Preference, then Windows settings and select Drive Maps
-right click on the right pane and select new - map drive option and fill up necessary info on the "General" tab. I have attached a sample picture of that tab "ee1-dmap.jpg".
-then click on "common" and select "item-level targeting" and click on "Targeting" button. (picture ee2-dmap.jpg attached)
-select new item, Organization Unit, select "Computers in OU" and then select your computers OU from the browser above (picture ee3-dmap.jpg attached)

and you can create a second drive map for the other server the same way by point the target to the other computer OU.

Hope this helps.
ee1-dmap.JPG
ee2-dmap.JPG
ee3-dmap.JPG
0
 
Rezwan IslamSystems AdministratorCommented:
Hi Ethan,
You can put the computers in the test OU under a AD security group and apply this as a security filter for trail GPO.

Or,

you can keep it simple like below,

Create a GPO "GPO 1" for users with "computer configuration settings" disabled (from details tab), and
Create a GPO "GPO 2" for computers with "user configuration settings" disabled.

then link both GPOs to users OU and link GPO 2 to Test OU. Hope this helps.
0
 
Ethan DarwinAuthor Commented:
hi Rezwan and thanks for the help.

My main GPO sets up data sources and maps drives to server1
My test GPO sets up data sources and maps drives to server2

Accordingly I need both the computer and user sections of both my GPOs active.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
Rezwan IslamSystems AdministratorCommented:
Hi Ethan,
Data Sources are computer based and both ODBC settings can be on one GPO and applied to computers only via security filter. While server drives mapping can be done via single GPO (user configuration preference) and applied to users.

You will still need two GPO but you can separate them according to their functions and even linking them to both OU wouldn't hurt, that's what I am trying to say. Thanks
0
 
Ethan DarwinAuthor Commented:
Hi Rezwan, once again thank you for your help.

I may not be communicating my scenario clearly enough or simply failing to understand your solution.

To simplify my question further.

How can I have a user map a drive to location A on computer A and location B on computer B?

(So one OU for the user and two OUs for the two computers.)
0
 
MaheshConnect With a Mentor ArchitectCommented:
GPO Behavior:
When you apply any GPO (may be computer config and user config in same GPO) to any OU, it will affect all objects in that OU (users and computers) unless you remove authenticated users from security filtering and add your required group of users \ computers
If you click on GPO in GPMC console in right hand, left hand side you will see scope tab, underneath that tab you will find security filtering, GPO will apply to security principles which does exists on security filtering windows.
If authenticated users is there on security filtering, GPO will be applied to all objects in that OU
(I hope you know that user configuration settings will apply to users and computer configuration settings will be applied to computers in that OU)

In case of drive maps, they are user based and no matter on which machine user logs on, drives will be mapped.
Since this is user based setting, it will applied no matter user is logged on which computer
location will not come in picture here

Similarly, if you doing any computer config setting, it will apply to computers regardless of who logged on machine

Group Policy can be linked to:
Site Level, where it will be applied to all subnets in that site
domain level which affect all objects in entire domain
OU level, which affects all objects in entire OU
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.