No announcement yet.

group policies to machines and users inside a single OU

  • Filter
  • Time
  • Show
Clear All
new posts

  • group policies to machines and users inside a single OU

    If user accounts and computer accounts are placed in the same single OU, will group policies get applied to users and computers both if I do it via that OUs group policy? I mean will both sections(computer config and user config) of the OUs group policy work.
    Is it a better idea to separate machine accounts and users accounts in two different OUs.

    Thankx in advance.

  • #2
    The way you create your OUs is mostly based upon business and management needs. Youmay want to have both users and computers under the same OU in order to have them under the same GPO or for delegation needs. But you can also have users and computers in seperate OUs but still nested under one parent OU.

    As for performance issues - I'm not aware of any, not with the size of your network.

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services


    • #3
      group policy

      A problem has occured on the network that i manage, in AD i have created an OU purely for laptops GPO has been configured, i manage 2 domains a user has asked for access on the second domain (both on separate forests) user could not access astart menu so in group policy i went into user configuration\Windows setttings\Folder Redirection and set the path for the start menu, noe all laptops belonging to this OU get problems with access to the SQL server, so i reverted that policy setting back to its old setting.

      However, the problem still occurs, of my 2 years experience as a network administrator this is the first time that i have experienced such a thing, the 200 server has service pack 2.

      Any help would be greatly appreciated.
      Beauty is in the eyes of the beholder


      • #4
        Not sure this is the same issue, but in your situation you might want to check whether GPO processing for this particular client has been done in loopback mode.

        As this is W2K AD, your trusts are obviously NTLM and not transitive. In W2K3, with Kerberos transitive trust, loopback processing is turned on by default when you do cross-forest logons.
        Also, there were a lot of GPO related changes after SP2. You might want to turn on GPO verbous debugging to see what GPOs are actually aplied and in which mode.

        As for the original question: with the size of your network it really does not matter - the logon process + application of GPOs do not take usually more than 170K (if I remember correctly)
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"


        • #5
          Thanks guys.
          I think I'll go with the second option you mentioned Daniel, users and computers in seperate OUs but still nested under one parent OU.
          Just to kill my curiosity, what is this "loopback mode" anyway?!
          In ADUC, under computer objects properties, there's a tick box "Trust for Delegation" or something like that, what is this delegation?


          PS: I've got another question, I think I'll start a new thread here, plzz take a look.