Applying GPO to a Security Group
If I understand GPO is applied at LSDOU level (Local, Site, Domain, OU )
Well, let 's say we have many OUs that have users and groups inside
I need to deploy software to certain users that are members of the Company Communication Committee. So I will create a security group named CCC
from AD console , then I can choose any OU and create/Link GPO to it , then I will specify the software settings in GPMC for the software.
My question is does it matter to which OU I need t link my GPO, since I will have to do the WMI filtering anyway for CCC Group ?
Or should I create a new OU for instance and name it CCC and put the CCC group in it and apply the GPO then add the CCC group to the WMI filtering of the CCC ?
Any clarification on this ?
Thanks
Well, let 's say we have many OUs that have users and groups inside
I need to deploy software to certain users that are members of the Company Communication Committee. So I will create a security group named CCC
from AD console , then I can choose any OU and create/Link GPO to it , then I will specify the software settings in GPMC for the software.
My question is does it matter to which OU I need t link my GPO, since I will have to do the WMI filtering anyway for CCC Group ?
Or should I create a new OU for instance and name it CCC and put the CCC group in it and apply the GPO then add the CCC group to the WMI filtering of the CCC ?
Any clarification on this ?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What I was trying to understand if users that are members of the CCC group are scattered all over in different OUs in Active Directory.
In this case can I create a new empty OU regardless where it is located and put in it the CCC group (probably CCC group does not have to be in that OU), then apply the GPO to the new OU, and in the WMI Filtering I will specify the CCC group.
Would this be correct? or the individual user accounts have to be in the OU where the GPO is applied to?
In this case can I create a new empty OU regardless where it is located and put in it the CCC group (probably CCC group does not have to be in that OU), then apply the GPO to the new OU, and in the WMI Filtering I will specify the CCC group.
Would this be correct? or the individual user accounts have to be in the OU where the GPO is applied to?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will Szymkowski
Sometimes Users you need to apply GPO to are not in the same OU, and if you move them around you can create problem
Thank you Guys for your clarification. As long as the OU that the GPO is linked to is a "Root " OU for other OUs underneath, then users in the latter OUs will have the GPO applied to them.., the WMI filtering will be setup at the Root OU where the GPO is linked to
Sometimes Users you need to apply GPO to are not in the same OU, and if you move them around you can create problem
Thank you Guys for your clarification. As long as the OU that the GPO is linked to is a "Root " OU for other OUs underneath, then users in the latter OUs will have the GPO applied to them.., the WMI filtering will be setup at the Root OU where the GPO is linked to
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yo_bee
I meant you need to remove "Authenticated Users" and replace it with "CCC group"
I agree the GPO should be linked to the Highest OU (Parent), and CCC group des not have to be inside that highest OU
I meant you need to remove "Authenticated Users" and replace it with "CCC group"
I agree the GPO should be linked to the Highest OU (Parent), and CCC group des not have to be inside that highest OU
ASKER
Security filtering not WMI filtering
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you
ASKER
At the domain level, other than password policy, I do not think it is recommended to apply other types of GPOs