Solved

Confused by OU & GPO

Posted on 2015-02-02
6
83 Views
Last Modified: 2015-02-07
I have an OU containing the users and an OU for the computers.

I wish to test on a particular computer so I have created a testing OU containing the test computer.

I have created a GPO that contains both computer (data sources) & user settings (drive mappings). This GPO I have linked to my users OU and my computers OU.

I wish to create a trial GPO with both computer and user settings. I would imagine that I would link this trail GPO to my users OU and my testing OU.

This means that in summary:
Both GPOs will be linked to my users OU
Main GPO will be linked to my computers OU
Trail GPO will be linked to my testing GPO

As both Main & Trail GPO are linked to my users OU how will windows ensure that when user X logs in on a production (non testing pc) on ly the main GPO is applied?

I am worried my testing GPO will be applied to all users are it is linked to the same users OU as my main GPO.
0
Comment
Question by:Ethan Darwin
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585388
Hi Ethan,
You can put the computers in the test OU under a AD security group and apply this as a security filter for trail GPO.

Or,

you can keep it simple like below,

Create a GPO "GPO 1" for users with "computer configuration settings" disabled (from details tab), and
Create a GPO "GPO 2" for computers with "user configuration settings" disabled.

then link both GPOs to users OU and link GPO 2 to Test OU. Hope this helps.
0
 

Author Comment

by:Ethan Darwin
ID: 40585392
hi Rezwan and thanks for the help.

My main GPO sets up data sources and maps drives to server1
My test GPO sets up data sources and maps drives to server2

Accordingly I need both the computer and user sections of both my GPOs active.
0
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585418
Hi Ethan,
Data Sources are computer based and both ODBC settings can be on one GPO and applied to computers only via security filter. While server drives mapping can be done via single GPO (user configuration preference) and applied to users.

You will still need two GPO but you can separate them according to their functions and even linking them to both OU wouldn't hurt, that's what I am trying to say. Thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Ethan Darwin
ID: 40585528
Hi Rezwan, once again thank you for your help.

I may not be communicating my scenario clearly enough or simply failing to understand your solution.

To simplify my question further.

How can I have a user map a drive to location A on computer A and location B on computer B?

(So one OU for the user and two OUs for the two computers.)
0
 
LVL 3

Accepted Solution

by:
Rezwan Islam earned 250 total points
ID: 40585586
Hi Ethan,
Is your OU hierarchy like this?

|-Organization
       |-----Users(OU)
       |------Computers(OU1)
       |------Computers(OU2)

Also, lot depends on how you want to map your server drives. Have you read about item-level targeting for drive mapping? You can achieve that by using this feature. If your domain controllers are all Windows 2008 then you have this available.

Now, I think you only need one GPO to achieve this if you use item-level targeting. And this is how you can configure the GPO.
- link the GPO right under "Organization"
-Configure GPO computer configuration for ODBC settings and User configuration for other settings according to your requirement.
-for mapping drive, edit the GPO, expand User config, then Preference, then Windows settings and select Drive Maps
-right click on the right pane and select new - map drive option and fill up necessary info on the "General" tab. I have attached a sample picture of that tab "ee1-dmap.jpg".
-then click on "common" and select "item-level targeting" and click on "Targeting" button. (picture ee2-dmap.jpg attached)
-select new item, Organization Unit, select "Computers in OU" and then select your computers OU from the browser above (picture ee3-dmap.jpg attached)

and you can create a second drive map for the other server the same way by point the target to the other computer OU.

Hope this helps.
ee1-dmap.JPG
ee2-dmap.JPG
ee3-dmap.JPG
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 250 total points
ID: 40585891
GPO Behavior:
When you apply any GPO (may be computer config and user config in same GPO) to any OU, it will affect all objects in that OU (users and computers) unless you remove authenticated users from security filtering and add your required group of users \ computers
If you click on GPO in GPMC console in right hand, left hand side you will see scope tab, underneath that tab you will find security filtering, GPO will apply to security principles which does exists on security filtering windows.
If authenticated users is there on security filtering, GPO will be applied to all objects in that OU
(I hope you know that user configuration settings will apply to users and computer configuration settings will be applied to computers in that OU)

In case of drive maps, they are user based and no matter on which machine user logs on, drives will be mapped.
Since this is user based setting, it will applied no matter user is logged on which computer
location will not come in picture here

Similarly, if you doing any computer config setting, it will apply to computers regardless of who logged on machine

Group Policy can be linked to:
Site Level, where it will be applied to all subnets in that site
domain level which affect all objects in entire domain
OU level, which affects all objects in entire OU
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GPO Delegation 4 30
Multipurpose Server for a very small buisiness 20 106
Windows DNS Zone for a Host 2 51
Group policy backup error 8 25
Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now