Announcement

Collapse
No announcement yet.

Affixing a GPO to a group.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Affixing a GPO to a group.

    All my users are in the users folder.
    Some of those users are members of group "devs" in the group folder.
    To apply a GPO (a VBS to map printers) to group devs, I would have to make another OU in groups, move the devs group into the new OU and then apply the GPO to that OU, yes?

  • #2
    Re: Affixing a GPO to a group.

    The group is irrelevant unless you're using Group Filtering. GPOs apply to OUs - link the GPO to the OU, put the users (or machines) you want to apply the policy to into the OU. If you want to split it down even further you can filter GPOs by group; so that for instance:

    GPO A and GPO B are linked to the "Sales" OU. Sales Managers get two mapped drives, "Managers" and "Sales" (GPO A); non-managers only get "Sales" (GPO B). This is achieved by running two different login scripts which are set by the GPOs. Put all these users into the "Sales" OU. Link both GPO A and GPO B to the "Sales" OU. Put all managers into the "Sales Managers" group. Filter the GPOs by group so that the managers can read and apply GPO A and other sales people can read and apply GPO B.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Affixing a GPO to a group.

      What he said. Additionally, we have a GPO forum if you want to ask questions relating to Group Policy
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Affixing a GPO to a group.

        Originally posted by Kayden View Post
        All my users are in the users folder.
        Some of those users are members of group "devs" in the group folder.
        To apply a GPO (a VBS to map printers) to group devs, I would have to make another OU in groups, move the devs group into the new OU and then apply the GPO to that OU, yes?
        no, you would have to move the Users that are members of that group to the new OU you want to apply the GPO on,
        not the group itself (you can move the group as well if you wish, but it would have no effect on the GPO).

        Comment


        • #5
          Re: Affixing a GPO to a group.

          =\
          What if I have a person that is a member of two separate groups, non-nested? They can't really be in two places at once.

          Code:
          Domain
              |
              +--Groups ┐
                        |     ┌B--User Bob
                        +--A--|
                        |     └C
                        |
                        |     ┌Y
                        +--X--|
                              └Z--User Bob
                              
          How would I apply a GPO to someone who is in both OU B and Z? Would I have to make a third branch (N) just for him and reapply the GPOs from B and Z to N just for the one person?


          Code:
          Domain
              |
              +--Groups
                        |     ┌B
                        +--A--|
                        |     └C
                        |
                        |     ┌Y
                        +--X--|
                        |     └Z
                        |
                        |     
                        +--N--User Bob
                               

          Comment


          • #6
            Re: Affixing a GPO to a group.

            That is one of the reasons why you would use group filtering.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Affixing a GPO to a group.

              Originally posted by gforceindustries View Post
              That is one of the reasons why you would use group filtering.
              So I would apply the GPO to the Groups folder and then remove "Authenticated Users" and instead place in the proper group/members?

              Comment


              • #8
                Re: Affixing a GPO to a group.

                I'd apply it to the root users OU (not the same as the Users container - you can't link GPOs there). Remove Authenticated Users and then add whatever groups you want it to apply to.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Affixing a GPO to a group.

                  Yea, that's what I meant.
                  That way seems a lot better than making a bunch of OUs.

                  Comment


                  • #10
                    Re: Affixing a GPO to a group.

                    I think MS' best practices suggest going down the OU route, and I am inclined to agree. However that model has one critical downside, which is that a user can only be in 1 OU, as you have seen. This is one of the reasons why MS have developed GP to support being filtered by security groups as well as OUs,
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: Affixing a GPO to a group.

                      Originally posted by Kayden View Post
                      So I would apply the GPO to the Groups folder and then remove "Authenticated Users" and instead place in the proper group/members?
                      Yep, that's the way

                      Comment

                      Working...
                      X