(Msg. 1) Posted: Fri Sep 05, 2008 8:22 am
Post subject: GPO Processing Order and OUs Archived from groups: microsoft>public>win2000>group_policy (more info?)
I have been having some problems getting some GPOs to process when
linked to specific OUs. Here's a basic rundown of our domain setup:
Basically, policys linked to OUs are not processed unless they are
also linked to the Domain as well. Is this correct? I was under the
impression that GPOs are processed in a top down order under the
Domain, including OUs with linked GPOs.
(Msg. 2) Posted: Fri Sep 05, 2008 1:42 pm
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
> The behavior you describe, that policies need to be linked to BOTH the
> domain AND the OU is weird. Where are the workstation computer objects?
The GPO applies to a Security Group specified in the Security
Filterign section of the OU (the user is a member of the security
group so should have the setting applied). The GPO has only one
setting enabled, a User Configuration setting to run a logon VB
script.
> Is the policy listed?
The policy is not listed when I run gpresult.exe
A better rundown of the setup is:
OURORGANIZATION.COM
-Default Domain Policy (computer and user settings)
--Shared Drive Mappings
---Map L Script (user settings)
---Map P Script (user settings)
(Msg. 3) Posted: Fri Sep 05, 2008 6:22 pm
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Yuppie!
Yuppie wrote:
> Basically, policys linked to OUs are not processed unless they are
> also linked to the Domain as well. Is this correct? I was under the
> impression that GPOs are processed in a top down order under the
> Domain, including OUs with linked GPOs.
The behavior you describe, that policies need to be linked to BOTH the
domain AND the OU is weird. Where are the workstation computer objects?
Are they in the workstation OU you link the policy to? Only linking the
policy to the workstation OU (NOT the domain) - what's the output of
rsop.msc and gpresult.exe? Is the policy listed?
(Msg. 4) Posted: Sat Sep 06, 2008 12:15 am
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Yuppie wrote:
>> The behavior you describe, that policies need to be linked to BOTH the
>> domain AND the OU is weird. Where are the workstation computer objects?
>
> The GPO applies to a Security Group specified in the Security
> Filterign section of the OU (the user is a member of the security
> group so should have the setting applied). The GPO has only one
> setting enabled, a User Configuration setting to run a logon VB
> script.
>
>> Is the policy listed?
>
> The policy is not listed when I run gpresult.exe
>
> A better rundown of the setup is:
>
> OURORGANIZATION.COM
> -Default Domain Policy (computer and user settings)
> --Shared Drive Mappings
> ---Map L Script (user settings)
> ---Map P Script (user settings)
>
Did you put the user accounts into the OU you linked the policy to? Once
you did so, the policy will apply. It's not only permissions you need
for group policy application - you need the target objects as child
objects of the OU.
(Msg. 5) Posted: Sun Sep 07, 2008 7:42 pm
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
> Did you put the user accounts into the OU you linked the policy to? Once
> you did so, the policy will apply. It's not only permissions you need
> for group policy application - you need the target objects as child
> objects of the OU.
>
Do the actual user accounts need to be in the OU? Can a security
group with user accounts as members be added to the OU and the Policy
will apply to all members of the security group?
(Msg. 6) Posted: Mon Sep 08, 2008 3:12 am
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Yuppie,
Yuppie wrote:
> Do the actual user accounts need to be in the OU? Can a security
> group with user accounts as members be added to the OU and the Policy
> will apply to all members of the security group?
The actual user accounts need to be in the OU - security groups will not
work.
(Msg. 7) Posted: Mon Sep 08, 2008 9:01 am
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
> The actual user accounts need to be in the OU - security groups will not
> work.
>
This is incorrect.
In addition, my GPOs are being applied when linked directly under the
domain. But when I create an OU under the domain and link to the GPO
from within the OU, it stops being applied. Am I missing a permission
or something? This is rather discouraging.
(Msg. 8) Posted: Mon Sep 08, 2008 9:53 am
Post subject: Re: GPO Processing Order and OUs [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
> Group Policies only apply to user and computer objects that are child
> objects of the OU they are linked to - period. Security Filtering only
> is a further filtering of the (already being) targets of the policy to
> for example create a subset of those users or computers. GPs still only
> apply to user and computer accounts.
>
> Without user and computer objects being child objects of the OUs you
> linked the policy to - how would they now they have to apply a Group
> Policy?
Excuse me. My misunderstanding.
That being said, why is it that a policy is applied when linked
directly to the domain but not when linked to an OU beneath the
domain? That is my main question and I have yet to find an answer. I
feel like I am missing something critical here. What am I missing?
The GPO I have created knows to apply the settings to the child
objects (user accounts) as they are members of the Security Group
which is defined in the Security Filter. But when linked to an OU,
they are not being applied.
All times are: Eastern Time (US & Canada) (change) Goto page 1, 2
Page 1 of 2
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other