Announcement

Collapse
No announcement yet.

Question on creating GPO's and linking them.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question on creating GPO's and linking them.

    Hi,

    I created a GPO for setting the background on users machines.. I did it using gpmc.msc and setting User Configuration -> Administrative Templates -> Desktop -> Active Desktop.

    I then linked that GPO to an OU that I had created, with the Security Filtering field left to the default of Authenticated Users..

    The GPO was filtered out on the computers that were in the OU that the GPO was linked to.

    Can anyone give thoughts as to why?

    When I changed the linkage to the domain itself, and changed the Security Filtering from Authenticated Users to a more specific Group, it worked just fine..

    Thanks
    David

  • #2
    Re: Question on creating GPO's and linking them.

    Anything in the User Configuration of a GPO only applies to users. So if you want it to affect users then you need to link it to an OU that contains users. Linking it to an OU full of computers will have no effect.

    Change the filtering back to the default (Authenticated Users) and link it to an OU and move the users you want affected by the GPO to said OU.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Question on creating GPO's and linking them.

      Jeremy,

      Thanks for that.. Let me ask a quick follow up question then.. How does an OU differ from a Group that you put users in?

      I was under the impression that a OU was primarily for computers.. ie... a Group for computers...

      Thanks
      David

      Comment


      • #4
        Re: Question on creating GPO's and linking them.

        Sure. It's a good question and lets see if I can do it justice.

        (Security) Groups are for granting permissions and privileges to a group of user, computers, and group or any combination thereof. (yes, you can put computers in those same groups you created for the users) An example of permissions would be the ability to read or modify a file or create or delete an object in an OU. An example of a privilege would be something like shutting down the computer or changing the system time.

        Organizational Units are used to organize objects in Active Directory, separate and delegate administration of objects, and to apply settings (GPOs) to a group of objects.

        Others, please feel free to correct or add to my comments.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Question on creating GPO's and linking them.

          Jeremy,

          That's great, it clears some stuff up for me..

          Thanks a ton!

          When applying a GPO, you can apply it specifically to a group of users that are located in an OU (Or the domain itself), instead of to the entire OU.. Would that be correct?

          So an OU could be used to contain a location, say an OU for one office, and another OU for office #2..

          Then you could create a Group of Laptop Users, and one for Workstation Users.. Then add those Groups to the OU for Office #1.. Then repeat the process for the OU for Office #2.. And you could have sepeate settings for each of those OU's..

          Or just create a Mobile Group, and a Workstation Group, then add those two groups to BOTH OU's.. Then all the settings would be shared for users of those two groups, no matter which OU they fall in..

          Am I thinking correctly?

          Thanks
          David

          Originally posted by JeremyW View Post
          Sure. It's a good question and lets see if I can do it justice.

          (Security) Groups are for granting permissions and privileges to a group of user, computers, and group or any combination thereof. (yes, you can put computers in those same groups you created for the users) An example of permissions would be the ability to read or modify a file or create or delete an object in an OU. An example of a privilege would be something like shutting down the computer or changing the system time.

          Organizational Units are used to organize objects in Active Directory, separate and delegate administration of objects, and to apply settings (GPOs) to a group of objects.

          Others, please feel free to correct or add to my comments.

          Comment


          • #6
            Re: Question on creating GPO's and linking them.

            You're getting close.
            Originally posted by dwessell View Post
            When applying a GPO, you can apply it specifically to a group of users that are located in an OU (Or the domain itself), instead of to the entire OU.. Would that be correct?
            Yes. This would be the Security Filtering.

            So an OU could be used to contain a location, say an OU for one office, and another OU for office #2..
            Yes, you could organize AD based on location. You would simply move the computers and users (and printers, contacts, groups, etc if you so desired) to their respective OU.

            Then you could create a Group of Laptop Users, and one for Workstation Users.. Then add those Groups to the OU for Office #1.. Then repeat the process for the OU for Office #2.. And you could have sepeate settings for each of those OU's..

            Or just create a Mobile Group, and a Workstation Group, then add those two groups to BOTH OU's.. Then all the settings would be shared for users of those two groups, no matter which OU they fall in..
            Not quite. I find that it's on this point that most of the confusion occurs with group policy processing.

            GPOs can only be applied to Users and Computers but you can "filter" what users and computers apply the GPO based on group membership. GPOs are linked to OUs, Domains, and Sites and any user object or computer object under it in the hierarchy will apply that GPO providing Security Filtering and Block Inheritance permit it.

            Also keep in mind that computers will process the Computer Configuration and users will process the User Configuration
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X