Solved

using group policy

Posted on 2016-10-25
10
48 Views
Last Modified: 2016-10-25
We have a network which has 2 servers. Both running 2012.

Initially we had only one server, and we added all of our users into the users container.

We then added a second server in a different location, and created a new container in AD called "site 2 users". We added all of the users at this location, to that container.

My question relates to the use of group policy.

I can see how we apply any number of group policies to the container for "site 2 users", but the "users" container does not appear in the group policy management console.

How do I create and apply a new group policy for the users in the USERS container?

Many thanks
0
Comment
Question by:nigelbeatson
10 Comments
 
LVL 6

Expert Comment

by:Antzs
ID: 41858311
Are both the server in the same AD Domain?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41858319
You can't; GPOs can only be linked to Organizational Units.
You created an Organizational Unit called "site 2 users", so you can link GPOs to it.
The default "Users" is an actual Container (look closely at the icons in ADUC), not an Organizational Unit, and you can't link GPOs to Containers.
Create a new Organizational Unit called "site 1 users" or whatever, move your regular users into this OU, and link the GPO to this OU.
1
 

Author Comment

by:nigelbeatson
ID: 41858326
yes, both servers are in the same AD.

What are the implications of creating a new container for "site 1 users" and moving the users from the USERS container?

Is it just a case of dragging and dropping them, and all existing config will just follow?

Thanks
0
 
LVL 83

Expert Comment

by:oBdA
ID: 41858376
Yes; same as you did for the "site 2 users". Just leave any objects you didn't create there.
1
 

Author Comment

by:nigelbeatson
ID: 41858405
so it won't affect how people log on, or any petmissions they have been assigned or group memberships etc?

this is a working server and don't want to interrupt anything.

many thanks
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41858410
No - it won't have any negative problems with logging on/permissions etc.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 41858412
A user's location in AD has no impact group membership. Since they're currently residing in a Container to which no GPOs (except those linked to the domain or sites) would apply anyway, and the target OU is a new OU, the move shouldn't affect anything.
0
 

Author Closing Comment

by:nigelbeatson
ID: 41858424
many thanks - I will proceed with the creation of a new organizational unit, move the users from the USERS container, and apply the new group policy as suggested.

Many thanks to all.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41858973
I know this is closed but I would like to give my POV.
AD and GPO work hand in hand with each other.  It is all about management when it comes to this.
It was stated to me years ago that you should build your AD structure the way you want to manage your entire environment.  

So it your policies will be site specific that you should create OU's based on your sites then nest the Objects under the site. Whether you want to put the Users and Computers in separate Sub-OU's under your Site OU you can or you can have all your User and Computer objects under the Site OU and apply your GPO's to the Site.  

If you have more company wide User and Computer setting that are not site specific then you can build it the opposite way.  

Here is a screenshot of the first method.  This has Blocked Inheritance enabled and is isolating the Sites from the Domain level.  If you want domain level GPO's to apply you just do not use Block Inheritance.  

Depending on how you want your settings I normally figure what needs to be distributed domain wide and have that at the top.  From there I build a trickle down theory and having the really one-offs nested at the bottom of the chain of OU's

img1
1
 

Author Comment

by:nigelbeatson
ID: 41859033
many thanks, that is very helpful.

the reason ad was like that is due to historical reasons. we started off with a very small single server and it has grown.

we are trying to tidy this up now and get rid of a lot of the older technology, and bring the network in line with more modern practices.

being in a working environment just makes me want to research the progression before we actually carry it out, so thankyou for taking the time to offer advice.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now