?
Solved

Confused by OU & GPO

Posted on 2015-02-02
6
Medium Priority
?
96 Views
Last Modified: 2015-02-07
I have an OU containing the users and an OU for the computers.

I wish to test on a particular computer so I have created a testing OU containing the test computer.

I have created a GPO that contains both computer (data sources) & user settings (drive mappings). This GPO I have linked to my users OU and my computers OU.

I wish to create a trial GPO with both computer and user settings. I would imagine that I would link this trail GPO to my users OU and my testing OU.

This means that in summary:
Both GPOs will be linked to my users OU
Main GPO will be linked to my computers OU
Trail GPO will be linked to my testing GPO

As both Main & Trail GPO are linked to my users OU how will windows ensure that when user X logs in on a production (non testing pc) on ly the main GPO is applied?

I am worried my testing GPO will be applied to all users are it is linked to the same users OU as my main GPO.
0
Comment
Question by:Ethan Darwin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585388
Hi Ethan,
You can put the computers in the test OU under a AD security group and apply this as a security filter for trail GPO.

Or,

you can keep it simple like below,

Create a GPO "GPO 1" for users with "computer configuration settings" disabled (from details tab), and
Create a GPO "GPO 2" for computers with "user configuration settings" disabled.

then link both GPOs to users OU and link GPO 2 to Test OU. Hope this helps.
0
 

Author Comment

by:Ethan Darwin
ID: 40585392
hi Rezwan and thanks for the help.

My main GPO sets up data sources and maps drives to server1
My test GPO sets up data sources and maps drives to server2

Accordingly I need both the computer and user sections of both my GPOs active.
0
 
LVL 3

Expert Comment

by:Rezwan Islam
ID: 40585418
Hi Ethan,
Data Sources are computer based and both ODBC settings can be on one GPO and applied to computers only via security filter. While server drives mapping can be done via single GPO (user configuration preference) and applied to users.

You will still need two GPO but you can separate them according to their functions and even linking them to both OU wouldn't hurt, that's what I am trying to say. Thanks
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Ethan Darwin
ID: 40585528
Hi Rezwan, once again thank you for your help.

I may not be communicating my scenario clearly enough or simply failing to understand your solution.

To simplify my question further.

How can I have a user map a drive to location A on computer A and location B on computer B?

(So one OU for the user and two OUs for the two computers.)
0
 
LVL 3

Accepted Solution

by:
Rezwan Islam earned 1000 total points
ID: 40585586
Hi Ethan,
Is your OU hierarchy like this?

|-Organization
       |-----Users(OU)
       |------Computers(OU1)
       |------Computers(OU2)

Also, lot depends on how you want to map your server drives. Have you read about item-level targeting for drive mapping? You can achieve that by using this feature. If your domain controllers are all Windows 2008 then you have this available.

Now, I think you only need one GPO to achieve this if you use item-level targeting. And this is how you can configure the GPO.
- link the GPO right under "Organization"
-Configure GPO computer configuration for ODBC settings and User configuration for other settings according to your requirement.
-for mapping drive, edit the GPO, expand User config, then Preference, then Windows settings and select Drive Maps
-right click on the right pane and select new - map drive option and fill up necessary info on the "General" tab. I have attached a sample picture of that tab "ee1-dmap.jpg".
-then click on "common" and select "item-level targeting" and click on "Targeting" button. (picture ee2-dmap.jpg attached)
-select new item, Organization Unit, select "Computers in OU" and then select your computers OU from the browser above (picture ee3-dmap.jpg attached)

and you can create a second drive map for the other server the same way by point the target to the other computer OU.

Hope this helps.
ee1-dmap.JPG
ee2-dmap.JPG
ee3-dmap.JPG
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 1000 total points
ID: 40585891
GPO Behavior:
When you apply any GPO (may be computer config and user config in same GPO) to any OU, it will affect all objects in that OU (users and computers) unless you remove authenticated users from security filtering and add your required group of users \ computers
If you click on GPO in GPMC console in right hand, left hand side you will see scope tab, underneath that tab you will find security filtering, GPO will apply to security principles which does exists on security filtering windows.
If authenticated users is there on security filtering, GPO will be applied to all objects in that OU
(I hope you know that user configuration settings will apply to users and computer configuration settings will be applied to computers in that OU)

In case of drive maps, they are user based and no matter on which machine user logs on, drives will be mapped.
Since this is user based setting, it will applied no matter user is logged on which computer
location will not come in picture here

Similarly, if you doing any computer config setting, it will apply to computers regardless of who logged on machine

Group Policy can be linked to:
Site Level, where it will be applied to all subnets in that site
domain level which affect all objects in entire domain
OU level, which affects all objects in entire OU
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question