Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

How to configure GPOs for OUs?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to configure GPOs for OUs?


    We use Windows 2003 Server and today I finished installing AD.

    Because our network is a small one (30 WinXP computers, more or less used for same functions) I will make just one OU. What we need is only this:

    1) Every user, who logs on to his client machine, should have a mapped drive letter, which would represent his My Documents directory somewhere on the server.

    2) I would like to disable or restrict some of the (for the user) non-essential functionalities, on his client computer, such as Control Panel, Monitor setting, prevent changes to Start Menu etc.

    I have downloaded the Group Policy Management Console for easyer configuring. Can all of the above written be done in here?

    I would realy apprechiate advisment how to do these things or if you could direct me to some HOWTOs or tutorials.

    Thanks in advance!


  • #2
    1) Every user, who logs on to his client machine, should have a mapped drive letter, which would represent his My Documents directory somewhere on the server.
    Take a look at the Folder Redirection feature. This way you do not have to deal with mapping drives - you can configure the GPO to redirect "My Documents" to user's network share

    As for the rest - those are rather streight forward and easy to implement things. What you need to do is to create a new Group Policy and link it to the OU you want to control.

    There is something you need to understand about GPO and this is how the GPO is actually processed:

    1) computer boots and queries the AD for the list of GPOs that should apply to the computer. This list is built according to the location of the computer account in AD. So for example, if you have a computer in OU=US,OU=Clients,DC=domain,DC=com, the computer will recieve the list of GPOs linked to any container in the path from the root. If there is GPO linked to domain, to "Clients" OU and "US" OU, those 3 GPOs will be applied while the "closer" GPO can override the settings configured in "upper" GPOs (this behavior actually can be changed by using "No override" and "Enforce" settings, but those are a bit more advanced topics).

    After the GPO list is obtained, only the "Computer Settings" of the GPOs are applied (we will leave loopback processing aside for now).
    This is an important point: if you link GPO to OU that contains only computer objects and configure some settings in the "User Settings" section of the GPO, those settings will NOT be applied.

    2) after the "Computer Settings" are processed, the user logs on. Similar to the described above, now the AD is queried for the list of GPOs, but this time it is looking for list of GPOs while looking at the location of the USER object (tha account you loged on with) in the AD, so if the user account is in the OU=Palo-Alto,OU=California,OU=Accounts,DC=domain,DC=com, the list will contain the GPOs linked to any container in this path.

    This time the "User Settings" of the GPOs are applied.

    P.S.: I have not mentioned GP objects linked to sites, but those are rare (and I am too lazy to keep typing )

    you should also check the documentation that comes with GPMC and of course there is a lot of examples on the web.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Hello, Guy!

      Thanks for explaining it to me, now i dont have to wonder, why my GPOs did not work

      Well, Im off to read some more documentation on this and I will try to follow the guidelines you wrote.



      • #4
        Hello again!

        I was occupied with moving a lot of services from Linux to Windows so I took a brake from GPOs

        Anyway, I still have some issues and maybe you Guy, or someone else, can help me out with this, please.

        1) I started with Active Directory Users and Computer, created new OU in the root and named it as "dssl". Then I tryed to add a client computer, named UF1.

        What is "The following user or group can join this computer to a domain"? Should I leave it as it is?

        2) I clicked on "Change" and tryed under "Locations" and "Advanced" to locate OU "dssl", but I could not find it.

        3) Computer is added (with default settings) now I added a user.

        Is it mandatory to put both, computers and users in OU or can I put just the user in it and he will be able to log on to the domain from any computer?

        4) I right-clicket OU "dssl", choose Properties, created a new GPO and then edited it. Under the Security tab, from GPO properties, where the Groups and Users are listed - should I add any Users or Groups in here? I can not add OU, but my user and computer are created there.

        Probably I dont have to explain that the GPO is currently not working for me. I can connect a user to the domain but the GPO is not applied.

        Sometimes, when I do some changes, I cant even log into the domain.

        I think that my DNS and DHCP are configured as they should be so the problem is probably somewhere else.

        Many thanks in advance


        • #5
          Sorry for the delay...

          1) What you have done is to create the computer account in AD. This action does not actually join the computer to the domain, but only creates an account. You need to go to the client computer and actually join it to the domain.

          3) You do not have to place user and computer objects in the same OU.

          4) By default "Authenticated Users" have Read and Apply permissions, so there is no need to change the ACL as long as you do not want to filter out some objects that are in the OU, GPO is liked to (for example you might decide that all the computers except COMP2 should apply the GPO, and then you would add COMP2 to ACL and deny the Apply permission from COMP2)
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"


          • #6
            Hi! AD and GPOs, following your guidelines, started to work. Thank you!