Solved

using group policy

Posted on 2016-10-25
10
58 Views
Last Modified: 2016-10-25
We have a network which has 2 servers. Both running 2012.

Initially we had only one server, and we added all of our users into the users container.

We then added a second server in a different location, and created a new container in AD called "site 2 users". We added all of the users at this location, to that container.

My question relates to the use of group policy.

I can see how we apply any number of group policies to the container for "site 2 users", but the "users" container does not appear in the group policy management console.

How do I create and apply a new group policy for the users in the USERS container?

Many thanks
0
Comment
Question by:nigelbeatson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 8

Expert Comment

by:Antzs
ID: 41858311
Are both the server in the same AD Domain?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 41858319
You can't; GPOs can only be linked to Organizational Units.
You created an Organizational Unit called "site 2 users", so you can link GPOs to it.
The default "Users" is an actual Container (look closely at the icons in ADUC), not an Organizational Unit, and you can't link GPOs to Containers.
Create a new Organizational Unit called "site 1 users" or whatever, move your regular users into this OU, and link the GPO to this OU.
1
 

Author Comment

by:nigelbeatson
ID: 41858326
yes, both servers are in the same AD.

What are the implications of creating a new container for "site 1 users" and moving the users from the USERS container?

Is it just a case of dragging and dropping them, and all existing config will just follow?

Thanks
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 85

Expert Comment

by:oBdA
ID: 41858376
Yes; same as you did for the "site 2 users". Just leave any objects you didn't create there.
1
 

Author Comment

by:nigelbeatson
ID: 41858405
so it won't affect how people log on, or any petmissions they have been assigned or group memberships etc?

this is a working server and don't want to interrupt anything.

many thanks
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 41858410
No - it won't have any negative problems with logging on/permissions etc.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 41858412
A user's location in AD has no impact group membership. Since they're currently residing in a Container to which no GPOs (except those linked to the domain or sites) would apply anyway, and the target OU is a new OU, the move shouldn't affect anything.
0
 

Author Closing Comment

by:nigelbeatson
ID: 41858424
many thanks - I will proceed with the creation of a new organizational unit, move the users from the USERS container, and apply the new group policy as suggested.

Many thanks to all.
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 41858973
I know this is closed but I would like to give my POV.
AD and GPO work hand in hand with each other.  It is all about management when it comes to this.
It was stated to me years ago that you should build your AD structure the way you want to manage your entire environment.  

So it your policies will be site specific that you should create OU's based on your sites then nest the Objects under the site. Whether you want to put the Users and Computers in separate Sub-OU's under your Site OU you can or you can have all your User and Computer objects under the Site OU and apply your GPO's to the Site.  

If you have more company wide User and Computer setting that are not site specific then you can build it the opposite way.  

Here is a screenshot of the first method.  This has Blocked Inheritance enabled and is isolating the Sites from the Domain level.  If you want domain level GPO's to apply you just do not use Block Inheritance.  

Depending on how you want your settings I normally figure what needs to be distributed domain wide and have that at the top.  From there I build a trickle down theory and having the really one-offs nested at the bottom of the chain of OU's

img1
1
 

Author Comment

by:nigelbeatson
ID: 41859033
many thanks, that is very helpful.

the reason ad was like that is due to historical reasons. we started off with a very small single server and it has grown.

we are trying to tidy this up now and get rid of a lot of the older technology, and bring the network in line with more modern practices.

being in a working environment just makes me want to research the progression before we actually carry it out, so thankyou for taking the time to offer advice.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question