GPO Processing Order and OUs

Howdie!

Yuppie wrote:
> That being said, why is it that a policy is applied when linked
> directly to the domain but not when linked to an OU beneath the
> domain? That is my main question and I have yet to find an answer. I
> feel like I am missing something critical here. What am I missing?

Let's see if I can get this clearer for you: Group Policy processing is
divided in two things: the AD structure and permissions (on the GPlink,
SYSVOL, ...). Both those things need to be in a "good state" for a user
to apply a Group Policy.

From the Ad structure and its parent OUs, a user or computer knows what
policies to apply. It applies given policies in the following order:

Local - site - domain - OU - second level ou, third level ou, ...

The set of policies to apply is the sum of all those stations.
Contradicting settings are solved through the "last writer wins"
principle (if OU and 2nd level domain have a GP with the same setting
configured but with different states like enabled vs. disabled, 2nd
level OU wins as it gets applied later).

In order to apply the policies, target objects (again speaking of user
and computer objects) need appropriate permissions to the GPs (the link,
the SYSVOL...). They basically need "Read" and "Apply Group Policy"
permissions to apply a policy. Only if both conditions are true - the
object is target of policy X by a (child-) membership of the OU the
policy's linked to AND it has sufficient permission to apply the policy,
the object does apply it.

So -- coming to the GPO you linked to the domain - the domain is the
"parent" of all OUs, so to speak. It therefore applies to all objects
(even to those objects that reside in the "Users" and "Computers"
default containers you cannot link GPs to!).

Any clearer? Feel free to ask if I missed your point.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Perhaps I have been missing a huge step when creating these GPOs and
OUs. When you say a user account or computer account needs to be a
child object of the OU, you mean add the object to the OU from within
Active Directory Users and Computers, correct?

Like this:
http://tinyurl.com/6negrb

If so, I have not been doing that and have assumed the Security Filter
setting within the GPO was the same thing.

What a relief! Thank you so much for your time, patience and help.

Yuppie,

Yuppie wrote:
> Perhaps I have been missing a huge step when creating these GPOs and
> OUs. When you say a user account or computer account needs to be a
> child object of the OU, you mean add the object to the OU from within
> Active Directory Users and Computers, correct?
>
> Like this:
> http://tinyurl.com/6negrb

Yes, that was what I was trying to say. Maybe still not clear enough.
Putting the user account into the OU should make the policy work. I
suggest you start investigating how that works -- and leave the security
filtering alone (as for starts). That really for "advanced" GP
administration if you can't get away with OU structuring alone.

cheers,

florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste