Solved

Confused by OU & GPO

Posted on 2015-02-02
6
93 Views
Last Modified: 2015-02-07
I have an OU containing the users and an OU for the computers.

I wish to test on a particular computer so I have created a testing OU containing the test computer.

I have created a GPO that contains both computer (data sources) & user settings (drive mappings). This GPO I have linked to my users OU and my computers OU.

I wish to create a trial GPO with both computer and user settings. I would imagine that I would link this trail GPO to my users OU and my testing OU.

This means that in summary:
Both GPOs will be linked to my users OU
Main GPO will be linked to my computers OU
Trail GPO will be linked to my testing GPO

As both Main & Trail GPO are linked to my users OU how will windows ensure that when user X logs in on a production (non testing pc) on ly the main GPO is applied?

I am worried my testing GPO will be applied to all users are it is linked to the same users OU as my main GPO.
0
Comment
Question by:Ethan Darwin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585388
Hi Ethan,
You can put the computers in the test OU under a AD security group and apply this as a security filter for trail GPO.

Or,

you can keep it simple like below,

Create a GPO "GPO 1" for users with "computer configuration settings" disabled (from details tab), and
Create a GPO "GPO 2" for computers with "user configuration settings" disabled.

then link both GPOs to users OU and link GPO 2 to Test OU. Hope this helps.
0
 

Author Comment

by:Ethan Darwin
ID: 40585392
hi Rezwan and thanks for the help.

My main GPO sets up data sources and maps drives to server1
My test GPO sets up data sources and maps drives to server2

Accordingly I need both the computer and user sections of both my GPOs active.
0
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585418
Hi Ethan,
Data Sources are computer based and both ODBC settings can be on one GPO and applied to computers only via security filter. While server drives mapping can be done via single GPO (user configuration preference) and applied to users.

You will still need two GPO but you can separate them according to their functions and even linking them to both OU wouldn't hurt, that's what I am trying to say. Thanks
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:Ethan Darwin
ID: 40585528
Hi Rezwan, once again thank you for your help.

I may not be communicating my scenario clearly enough or simply failing to understand your solution.

To simplify my question further.

How can I have a user map a drive to location A on computer A and location B on computer B?

(So one OU for the user and two OUs for the two computers.)
0
 
LVL 3

Accepted Solution

by:
Rezwan Islam earned 250 total points
ID: 40585586
Hi Ethan,
Is your OU hierarchy like this?

|-Organization
       |-----Users(OU)
       |------Computers(OU1)
       |------Computers(OU2)

Also, lot depends on how you want to map your server drives. Have you read about item-level targeting for drive mapping? You can achieve that by using this feature. If your domain controllers are all Windows 2008 then you have this available.

Now, I think you only need one GPO to achieve this if you use item-level targeting. And this is how you can configure the GPO.
- link the GPO right under "Organization"
-Configure GPO computer configuration for ODBC settings and User configuration for other settings according to your requirement.
-for mapping drive, edit the GPO, expand User config, then Preference, then Windows settings and select Drive Maps
-right click on the right pane and select new - map drive option and fill up necessary info on the "General" tab. I have attached a sample picture of that tab "ee1-dmap.jpg".
-then click on "common" and select "item-level targeting" and click on "Targeting" button. (picture ee2-dmap.jpg attached)
-select new item, Organization Unit, select "Computers in OU" and then select your computers OU from the browser above (picture ee3-dmap.jpg attached)

and you can create a second drive map for the other server the same way by point the target to the other computer OU.

Hope this helps.
ee1-dmap.JPG
ee2-dmap.JPG
ee3-dmap.JPG
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 250 total points
ID: 40585891
GPO Behavior:
When you apply any GPO (may be computer config and user config in same GPO) to any OU, it will affect all objects in that OU (users and computers) unless you remove authenticated users from security filtering and add your required group of users \ computers
If you click on GPO in GPMC console in right hand, left hand side you will see scope tab, underneath that tab you will find security filtering, GPO will apply to security principles which does exists on security filtering windows.
If authenticated users is there on security filtering, GPO will be applied to all objects in that OU
(I hope you know that user configuration settings will apply to users and computer configuration settings will be applied to computers in that OU)

In case of drive maps, they are user based and no matter on which machine user logs on, drives will be mapped.
Since this is user based setting, it will applied no matter user is logged on which computer
location will not come in picture here

Similarly, if you doing any computer config setting, it will apply to computers regardless of who logged on machine

Group Policy can be linked to:
Site Level, where it will be applied to all subnets in that site
domain level which affect all objects in entire domain
OU level, which affects all objects in entire OU
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question