OU, groups and computers...

SanKuKaï

Dear all,

Just a quick question: I create a group (security, global) and add 2 computers to this group. Now I create an OU and place this group into it and link a GPO to the OU. Does the GPO apply to my computers inside the group?

I understand that the GPO does not apply to the computers unless I place the computers directly into the OU. Am I right?

Thank you for help!

Mishra

Correct.

SanKuKaï

It is not possible to link a GPO to a group, only to a OU, is it right?

If I have a universal group with members from various domains, how can I link a GPO to all this members? Would I have to create OU into each domain, add members from the universal group into them and apply the same GPO to each OU separately?

royal

You can't do that. Again, the groups do not apply GPOs. If the user object is in an OU, it'll apply GPOs from that OU to that user/computer object that exists within that OU only. The only thing that strays from this behavior is using group policy loopback with merge mode.

If users are in a different domain, because GPOs don't apply to groups, you'll have to create a mimic'd GPO in the other domain to apply to those users if you want consistency.

This is one of the things that go into a design. Why add another domain and create a policy boundary when you'll be creating similar policies.

bjaxx

royal wrote:

You can't do that. Again, the groups do not apply GPOs. If the user object is in an OU, it'll apply GPOs from that OU to that user/computer object that exists within that OU only. The only thing that strays from this behavior is using group policy loopback with merge mode.

If users are in a different domain, because GPOs don't apply to groups, you'll have to create a mimic'd GPO in the other domain to apply to those users if you want consistency.

This is one of the things that go into a design. Why add another domain and create a policy boundary when you'll be creating similar policies.

I don't know why but I have a hard time with GPO's myself.

I struggle with the design more than anything, just to clarify my stupidity, in order for that policy to apply to the user/computer they have to be under that policy?

So for example if you have a default domain policy in affect with user and computer settings and all ou's and objects sit under the default domain policy. But also there is a Terminal Servers OU with a terminal servers policy that only has two server objects. This terminal servers policy has user/computer settings as well.

What policy settings are applied?

dynamik

This might help you out: http://technet.microsoft.com/en-us/library/cc785665.aspx

bjaxx

dynamik wrote:

This might help you out: http://technet.microsoft.com/en-us/library/cc785665.aspx

Thanks Dynamik,

always setting me straight.

astorrs

bjaxx wrote:

So for example if you have a default domain policy in affect with user and computer settings and all ou's and objects sit under the default domain policy. But also there is a Terminal Servers OU with a terminal servers policy that only has two server objects. This terminal servers policy has user/computer settings as well.

What policy settings are applied?

Unless you specify differently, both the default domain policy and the terminal services policy will apply to anything within the Terminal Services OU.

bjaxx

astorrs wrote:

bjaxx wrote:

So for example if you have a default domain policy in affect with user and computer settings and all ou's and objects sit under the default domain policy. But also there is a Terminal Servers OU with a terminal servers policy that only has two server objects. This terminal servers policy has user/computer settings as well.

What policy settings are applied?

Unless you specify differently, both the default domain policy and the terminal services policy will apply to anything within the Terminal Services OU.

What happens if you block inheritance on the terminal servers policy?

royal

Then it blocks inheritance. Really, it means just that. If you want to apply policies to an entire domain except for one OU for example, you can apply the policy at the Domain Level and block inheritance at the specific OU and they won't flow down to that OU. That is of course you set No Override on the new GPO applied higher up. No Override takes precedence over Block Inheritance.

bjaxx

royal wrote:

Then it blocks inheritance. Really, it means just that. If you want to apply policies to an entire domain except for one OU for example, you can apply the policy at the Domain Level and block inheritance at the specific OU and they won't flow down to that OU. That is of course you set No Override on the new GPO applied higher up. No Override takes precedence over Block Inheritance.

Well I run RSOP for a terminal server in that ou and a user account that is out of that OU.

We don't have my document redirection set at the terminal servers policy but at the default domain policy.


So the RSOP states that the my document redirection is coming from the default domain policy.

i'm at a loss -


Insert bullet here.

royal

Maybe I'm understanding you wrong. But document redirection is a user configuration setting. So if that is configured at the root of the domain it'll apply to all users.

dynamik

If you don't configure the setting, it'll inherit it if it's been configured somewhere else.

bjaxx

dynamik wrote:

If you don't configure the setting, it'll inherit it if it's been configured somewhere else.

ok, thanks - you have cleared me up.

I've got a lot to learn about GP - any suggestions for materials?

royal

Assumed that would be obvious considering if there's an option called block inheritance, that settings are inherited if they're configured elsewhere.

70-294 will teach you about group policy.

dynamik

You don't need to know a lot about group policy for this exam. You can search around http://technet.microsoft.com or pick up the 294 book. 294 is the general Active Directory exam, and group policy is one of the main topics.