Applying Group policy at a granular level
I have recently taken over an IT role where the use of Group policy was not used efficiently. I have created OU's by region so London, Kent etc and within London we have IT, HR, Marketing, accounts etc.
So I have created a London GP that deploys the standard drives for all staff in London which works fine.
I have then created individual GP's for HR, IT, & accounts and applied to the each OU to map department specific drives - again this works perfectly.
That all went well but we have three admins in the London OU who need access to the marketing drive but need to remain in the London OU.
I had thought I could do this with Item-level Targeting but that isn't working, I assume because those users are in a higher OU?
What would people advise in terms of applying a GP to an OU but also applying it to individuals who would be the exception?
So I have created a London GP that deploys the standard drives for all staff in London which works fine.
I have then created individual GP's for HR, IT, & accounts and applied to the each OU to map department specific drives - again this works perfectly.
That all went well but we have three admins in the London OU who need access to the marketing drive but need to remain in the London OU.
I had thought I could do this with Item-level Targeting but that isn't working, I assume because those users are in a higher OU?
What would people advise in terms of applying a GP to an OU but also applying it to individuals who would be the exception?
ASKER
ok so we have the London OU where the three users reside and then within London we the CR team where the OU is applied.
The three staff in London need the drive mapped that is applied in the CR team Group policy but the three users must stay in the London OU as there are policies we don't want them getting. I am using individual users.
From what you just said Item level targeting won't work due to them being in the previous OU?
The three staff in London need the drive mapped that is applied in the CR team Group policy but the three users must stay in the London OU as there are policies we don't want them getting. I am using individual users.
From what you just said Item level targeting won't work due to them being in the previous OU?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can link GPOs to the actual Site and the user/computer object can still remain where it is
ASKER
ok so that has pretty much confirmed where I was thinking so moving forward could I move the GPP to the London OU, create a security group with the CR team in and then use targeting to apply to only that security group?
Thank you for your help btw.
Thank you for your help btw.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
really great post - I gained a lot posting this
That is great to hear.
Are you using Security Groups of the ILT or individual user objects.
If you are using more than one ILT setting. (e.g. three users) make sure you use OR and not AND.
If you us AND they all have to be true for it to work.