GPO-preferences not applies to a group in OU, only to users

-

1. gpo created using user configuration\ prefernces \control panel \ scheduled tasks

2. applied ou containing users , group

3. group contains users in current ou , users different ous.

4. gpo applies users in ou applied not users members of group residing in other ou.

resultant gpo not shows gpo neither in applied nor denied users in different ous.

why?

--- when hit wrong note next note makes or bad. --- miles davis

1. gpo created using user configuration\ prefernces \control panel \ scheduled tasks

2. applied ou containing users , group

3. group contains users in current ou , users different ous.

4. gpo applies users in ou applied not users members of group residing in other ou.

resultant gpo not shows gpo neither in applied nor denied users in different ous.

why?

because that's not how gpo works.

gpo linked ou (or ad site, or, domain root), , gpo processed computer objects (or user objects).

if gpo contains computer settings, computer objects process , apply gpo. group not computer.

you *can* use gp security filtering filter computer objects within ou (or not) apply gpo, gpo not traverse/recurse/apply via group objects (i.e. members of group) in example, because computer objects in ou apply gp.

[this 1 of primary reasons designing ad ou structure based around how gp needs applied. structure ad ous logical groupings of users/computers allow linking of gpos without having create complex filters, and exploit inheritance logic]

if have several different ous containing computers, , each of ous requires common settings applied, consider linking single gpo multiple ous. if there computers in ou need settings , there computers in ou should not have settings, have several choices implementation, here few;

a) create ou (perhaps child ou of first ou) move computers child ou , link gpo there (this leverages inheritance feature)

b) leave computers in single ou apply security filtering gpo gpo applies those. (create ad group, add computers new group, , use ad group security filtering gpo read+apply permission, , remove default permission authenticated users)

c) create ou (not child of first ou) , link needed gpos new ou, , move computers new ou

don
(please take moment "vote helpful" and/or "mark answer", applicable.
helps community, keeps forums tidy, , recognises useful contributions. thanks!)





Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

Group Policy Event ID 1058 Error Code 1326 (The user name or password is incorrect)

-
i seeing odd error on 1 of our domain controllers. have dealt event id 1058 errors whereby policy (or policies) not replicating, receiving error along error code 1326 on server, , apparently happening default domain policy: log name:      system source:        microsoft-windows-grouppolicy date:          8/10/2015 3:09:54 pm event id:      1058 task category: none level:         error keywords:      user:          s-1-5-21-1484152634-2550175353-3916092219-3287 computer:      <dc name>.<domainname> description: processing of group policy failed. windows attempted read file http://schemas.microsoft.com/win/2004/08/events/event ">   <system>     <provi...
Read more

Suspicious event log Event ID: 4905

-
hi thr, could please me understand causing such event logs generate ? as  i understand, vssvc.exe pertains volume shadow copy used backup purpose.  we have third party application used taking backup of servers. the event longs generated following messages: 1) attempt made unregister security event source. 2) attempt made register security event source. these events not regular generated on random days. standard fields: date:               2013/10/19 time:               02:32:19 importance:         critical rule name:          security event monitored machine:  <domain controller> log format:         windows log name:           security event id:           4905 in work hours:      yes dynamic fields: internal timestamp: 2013/10/19 ...
Read more

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more