Results 1 to 12 of 12
  1. #1
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    OUs, Groups and Users (2003SP2)

    Having managed to avoid Organisational Units in Active Directory until now, I am having to set one up so that a Group Policy can be applied to it. I have a Security Group which contains a number of User accounts.

    Is there any difference between any of the following situations:<UL><LI>Moving the individual Users into the OU and leaving the Group where it is in "Users"<LI>Moving the Group into the OU, and leaving the Users where they are, in "Users"<LI>Moving both into the OU[/list]You may ask "why have a group at all?", and my answer would be "so that I don't have to change the Security Filtering in the Group Policy if a new user is added"...

    Any comments or better suggestions gratefully received!
    BATcher

    Dear Diary, today the Hundred Years War started ...

  2. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    To prevent errors when adding a new user you want the choice that means you only have to add the users to one thing.

    Your first and third options require the users to be added to an OU and a group
    Your second option requires the users to just be added to the group

    Does this second option actually work correctly? If so then it looks like the best option to me.

    StuartR

  3. #3
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    Re: OUs, Groups and Users (2003SP2)

    Thanks, Stuart - I shall try the 'minimum effort' solution now, since it would seem that you don't foresee any problems with this.
    BATcher

    Dear Diary, today the Hundred Years War started ...

  4. #4
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    Re: OUs, Groups and Users (2003SP2)

    Hmmm. Unfortunately the Group Policy doesn't seem to be applied when just the group is moved to the OU - it seems you have to move the actual accounts to the OU.

    Yet another Group Policy thing that doesn't work the way that you (actually *I*) would expect!
    BATcher

    Dear Diary, today the Hundred Years War started ...

  5. #5
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    I was about to post a reply saying that I suspected moving the group to the OU might not actually work!

    StuartR

  6. #6
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    Re: OUs, Groups and Users (2003SP2)

    But surely it ought to work?!
    BATcher

    Dear Diary, today the Hundred Years War started ...

  7. #7
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    GPOs are applied to users based on the Domain and OU membership. Security groups can then be used to further control this by preventing the GPO from applying to particular users.

    The normal way to achieve what I think you want is to apply the GPO at the domain level and then use the Group membership to control which users it actually applies to.

    Is there a reason you can't do it this way?

    StuartR

  8. #8
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    Re: OUs, Groups and Users (2003SP2)

    The main reason is ignorance!

    I want a specific group policy to apply only to some users who log on to a terminal server, and not anywhere else. Having read quite a lot of usually irrelevant Stuff about group policy, and even understanding a percentage of it, this is the only way that seems to work! (If it wasn't so tedious setting up all the registry values in the relevant HKU entry, I'd do it there...)
    BATcher

    Dear Diary, today the Hundred Years War started ...

  9. #9
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    I think that this is what loopback processing is intended for.
    <UL><LI>Put the terminal servers into an OU (or Domain)
    <LI>Apply your GPO to that OU (or domain)
    <LI>Assign your users to a group
    <LI>Make sure that only that group is able to access the GPO
    <LI>Enable loopback processing so that the User attributes of this GPO override any other user attributes from other GPOs already applied[/list]StuartR

  10. #10
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    Re: OUs, Groups and Users (2003SP2)

    It was the nonworkingness of loopback that made me move the users into the OU!
    BATcher

    Dear Diary, today the Hundred Years War started ...

  11. #11
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    That is very strange. The steps I described above worked last time I tried this, but that was with a Windows 2000 domain a few years ago.

    StuartR

  12. #12
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,854
    Thanks
    19
    Thanked 110 Times in 104 Posts

    Re: OUs, Groups and Users (2003SP2)

    To be honest, Stuart, I've spent so much unproductive time on what should have been a (fairly) trivial problem that, having found a way that works, I'm going to stick with it. Life is too short to investigate all the possibilities of something where one's grasp of the material is so tenuous! (Maybe if I was younger...)
    BATcher

    Dear Diary, today the Hundred Years War started ...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •