Solved

using group policy

Posted on 2016-10-25
10
44 Views
Last Modified: 2016-10-25
We have a network which has 2 servers. Both running 2012.

Initially we had only one server, and we added all of our users into the users container.

We then added a second server in a different location, and created a new container in AD called "site 2 users". We added all of the users at this location, to that container.

My question relates to the use of group policy.

I can see how we apply any number of group policies to the container for "site 2 users", but the "users" container does not appear in the group policy management console.

How do I create and apply a new group policy for the users in the USERS container?

Many thanks
0
Comment
Question by:nigelbeatson
10 Comments
 
LVL 5

Expert Comment

by:Antzs
ID: 41858311
Are both the server in the same AD Domain?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41858319
You can't; GPOs can only be linked to Organizational Units.
You created an Organizational Unit called "site 2 users", so you can link GPOs to it.
The default "Users" is an actual Container (look closely at the icons in ADUC), not an Organizational Unit, and you can't link GPOs to Containers.
Create a new Organizational Unit called "site 1 users" or whatever, move your regular users into this OU, and link the GPO to this OU.
1
 

Author Comment

by:nigelbeatson
ID: 41858326
yes, both servers are in the same AD.

What are the implications of creating a new container for "site 1 users" and moving the users from the USERS container?

Is it just a case of dragging and dropping them, and all existing config will just follow?

Thanks
0
 
LVL 83

Expert Comment

by:oBdA
ID: 41858376
Yes; same as you did for the "site 2 users". Just leave any objects you didn't create there.
1
 

Author Comment

by:nigelbeatson
ID: 41858405
so it won't affect how people log on, or any petmissions they have been assigned or group memberships etc?

this is a working server and don't want to interrupt anything.

many thanks
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41858410
No - it won't have any negative problems with logging on/permissions etc.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 41858412
A user's location in AD has no impact group membership. Since they're currently residing in a Container to which no GPOs (except those linked to the domain or sites) would apply anyway, and the target OU is a new OU, the move shouldn't affect anything.
0
 

Author Closing Comment

by:nigelbeatson
ID: 41858424
many thanks - I will proceed with the creation of a new organizational unit, move the users from the USERS container, and apply the new group policy as suggested.

Many thanks to all.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41858973
I know this is closed but I would like to give my POV.
AD and GPO work hand in hand with each other.  It is all about management when it comes to this.
It was stated to me years ago that you should build your AD structure the way you want to manage your entire environment.  

So it your policies will be site specific that you should create OU's based on your sites then nest the Objects under the site. Whether you want to put the Users and Computers in separate Sub-OU's under your Site OU you can or you can have all your User and Computer objects under the Site OU and apply your GPO's to the Site.  

If you have more company wide User and Computer setting that are not site specific then you can build it the opposite way.  

Here is a screenshot of the first method.  This has Blocked Inheritance enabled and is isolating the Sites from the Domain level.  If you want domain level GPO's to apply you just do not use Block Inheritance.  

Depending on how you want your settings I normally figure what needs to be distributed domain wide and have that at the top.  From there I build a trickle down theory and having the really one-offs nested at the bottom of the chain of OU's

img1
1
 

Author Comment

by:nigelbeatson
ID: 41859033
many thanks, that is very helpful.

the reason ad was like that is due to historical reasons. we started off with a very small single server and it has grown.

we are trying to tidy this up now and get rid of a lot of the older technology, and bring the network in line with more modern practices.

being in a working environment just makes me want to research the progression before we actually carry it out, so thankyou for taking the time to offer advice.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now