No announcement yet.

Applying GPO to Group Not Working: Any Ideas?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Applying GPO to Group Not Working: Any Ideas?

    Here is my scenario. I've recently started to clean up a messy Group Policy Management.

    At the same time that I am doing this, I have associates who want all the computers to be put back into the "Computers" folder in "Active Directory Users and Computers". They want the same done for all of the "Users" as well (to be put back in the default "Users" folder. They like this because it is simpler for them to look in one place and see everything.

    Right now I have a bunch of different Organizational Units for different buildings and offices and I apply my GPOs to the Organizational Units.

    So what I have tried to do in order to please my work associates as well and still implement my Group Policy Objects is:

    [Active Directory Users and Computers]
    • Move all users back to "Users" and all computers back to "Computers" in users
    • Create a new Organizational Unit called "Group Policies"
    • Inside the "Group Policies" organizational unit I created a sub organizational unit named "Create Desktop Shortcut"
    • Inside "Create Desktop Shortcut" organizational unit I then created a Group (global/security) called "Group1"
    • I then made all the users that I wanted to be affected by the GPO i was going to put in place part of this "Group 1" group. This way i have all the users i want affected linked inside my "Create Desktop Shortcut" organizational unit (via "Group1" group membership) while their actual user accounts are still in the default Users folder.

    [Group Policy Management]
    • Put my "Create Desktop Shortcut" GPO inside the "Create Desktop Shortcut" Organizational Unit (since this is where the "Group1" group resides
    • On the scope tab for the "Create Desktop Shortcut" GPO added the "Group1" group in the security filtering section
    • In the delegation tab for the "Create Desktop Shortcut" added "Group1" for read only access

    After doing this the policy is not working. It worked before whenever the users were directly inside the OU it was being applied to, but after putting the users back into their default "user" folder and then applying the policy to a group that the users were part of instead it is no longer working. This should be something that is simple to implement.

    Maybe this example layout will help

    AD Users & Computers
    Domain Controllers
    --User 1
    --User 2
    --User 3
    Group Policy (OU)
    --Creat New Shortcut (Sub OU)
    ----Group1 (Members: User 1, User 2)

    Group Policy Management
    --Domain Controllers
    --Group Policy (OU)
    ----Create New Shortcut (Sub OU)
    ------GPO: Create New Shortcut (With Group 1 added under scope and delegation in properties)

    So with this setup, shouldn't my "Create New Shortcut" GPO be applying to User 1 and User 2? I'm lost and any help would be greatly appreciated.


  • #2
    Re: Applying GPO to Group Not Working: Any Ideas?

    Yes, it doesn't work. It doesn't work because Group Policies apply to objects in their path (Scope of Management). None of the objects that you want to apply the Group Policy to are in the path of the Group Policy, because the Group Policy is linked to an OU where none of the objects live (computers and users).

    You need to link the GPO to the domain if all of the users and computers are in the default containers (Users and Computers containers).


    • #3
      Re: Applying GPO to Group Not Working: Any Ideas?

      So Group Policy cannot be applied directly to groups in the manner that you are attempting.

      A GPO has two sections, User configuration and Computer configuration. When you link a GPO to an OU, the settings found in the User section, apply to the user objects in the OU. The settings found in the Computer section, apply to the computers in the OU.

      Unfortunately, you cannot link GPOs to the Computer Container, nor the User container.

      Now, there is a concept called Security Filtering that can be used when you want to apply a GPO to a portion of the objects in an OU. Say you want to apply a GPO to users, but not all in the OU. You could create a group, add the users that you want to filter, then in the properties of the OU, permissions tab, you can modify the ACL so that you control who can read and apply the policy. The security filtering technique requires some more experience and higher comfort level when working with GPOs.
      JM @ IT Training & Consulting


      • #4
        Re: Applying GPO to Group Not Working: Any Ideas?

        sorry joeqwerty...we must have been typing at the same time...
        JM @ IT Training & Consulting


        • #5
          Re: Applying GPO to Group Not Working: Any Ideas?

          Originally posted by [JM] View Post
          sorry joeqwerty...we must have been typing at the same time...

          As they say "Great minds..."


          • #6
            Re: Applying GPO to Group Not Working: Any Ideas?

            Yea thanks for the input. I found an article right before I checked back here that basically said same thing.

            So i basically kept everything the same but I removed authenticated users from who the policy was applied to and only kept my group in who it gets applied to. I then moved the GPO directly below the domain so that it actually hits the users folder as well and it works now but the hierarchy just doesn't look as pretty as it could if it would work the other way.

            Thanks for the help.

            And I'm typing in phone do may be mistakes


            • #7
              Re: Applying GPO to Group Not Working: Any Ideas?

              your associates are wrong. Don't put users and computers in the containers
              setup specific OUs for them (there;s a difference.)

              GPOs can only apply to objects within OUs, not within containers..

              if all your users are in the users OU, then it's all still in one place, and 'simple'
              Please do show your appreciation to those who assist you by leaving Rep Point


              • #8
                Re: Applying GPO to Group Not Working: Any Ideas?

                Containers are still at the Domain level -- purely an administrative convenience to avoid having lots of users or computers sitting at the root of the domain.
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd

                ** Remember to give credit where credit is due and leave reputation points where appropriate **


                • #9
                  Re: Applying GPO to Group Not Working: Any Ideas?

                  Just to clarify, you cannot link GPOs to the default containers but any policies applied at the domain or site level will still apply to those containers.
                  Caesar's cipher - 3


                  SFX JNRS FC U6 MNGR