using group policy

We have a network which has 2 servers. Both running 2012.

Initially we had only one server, and we added all of our users into the users container.

We then added a second server in a different location, and created a new container in AD called "site 2 users". We added all of the users at this location, to that container.

My question relates to the use of group policy.

I can see how we apply any number of group policies to the container for "site 2 users", but the "users" container does not appear in the group policy management console.

How do I create and apply a new group policy for the users in the USERS container?

Many thanks
Who is Participating?
oBdAConnect With a Mentor Commented:
You can't; GPOs can only be linked to Organizational Units.
You created an Organizational Unit called "site 2 users", so you can link GPOs to it.
The default "Users" is an actual Container (look closely at the icons in ADUC), not an Organizational Unit, and you can't link GPOs to Containers.
Create a new Organizational Unit called "site 1 users" or whatever, move your regular users into this OU, and link the GPO to this OU.
AntzsInfrastructure ServicesCommented:
Are both the server in the same AD Domain?
nigelbeatsonAuthor Commented:
yes, both servers are in the same AD.

What are the implications of creating a new container for "site 1 users" and moving the users from the USERS container?

Is it just a case of dragging and dropping them, and all existing config will just follow?

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Yes; same as you did for the "site 2 users". Just leave any objects you didn't create there.
nigelbeatsonAuthor Commented:
so it won't affect how people log on, or any petmissions they have been assigned or group memberships etc?

this is a working server and don't want to interrupt anything.

many thanks
Joseph MoodyBlogger and wearer of all hats.Commented:
No - it won't have any negative problems with logging on/permissions etc.
A user's location in AD has no impact group membership. Since they're currently residing in a Container to which no GPOs (except those linked to the domain or sites) would apply anyway, and the target OU is a new OU, the move shouldn't affect anything.
nigelbeatsonAuthor Commented:
many thanks - I will proceed with the creation of a new organizational unit, move the users from the USERS container, and apply the new group policy as suggested.

Many thanks to all.
yo_beeDirector of Information TechnologyCommented:
I know this is closed but I would like to give my POV.
AD and GPO work hand in hand with each other.  It is all about management when it comes to this.
It was stated to me years ago that you should build your AD structure the way you want to manage your entire environment.  

So it your policies will be site specific that you should create OU's based on your sites then nest the Objects under the site. Whether you want to put the Users and Computers in separate Sub-OU's under your Site OU you can or you can have all your User and Computer objects under the Site OU and apply your GPO's to the Site.  

If you have more company wide User and Computer setting that are not site specific then you can build it the opposite way.  

Here is a screenshot of the first method.  This has Blocked Inheritance enabled and is isolating the Sites from the Domain level.  If you want domain level GPO's to apply you just do not use Block Inheritance.  

Depending on how you want your settings I normally figure what needs to be distributed domain wide and have that at the top.  From there I build a trickle down theory and having the really one-offs nested at the bottom of the chain of OU's

nigelbeatsonAuthor Commented:
many thanks, that is very helpful.

the reason ad was like that is due to historical reasons. we started off with a very small single server and it has grown.

we are trying to tidy this up now and get rid of a lot of the older technology, and bring the network in line with more modern practices.

being in a working environment just makes me want to research the progression before we actually carry it out, so thankyou for taking the time to offer advice.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.