Results 1 to 12 of 12
  1. #1
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    OUs, Groups and Users (2003SP2)

    Having managed to avoid Organisational Units in Active Directory until now, I am having to set one up so that a Group Policy can be applied to it. I have a Security Group which contains a number of User accounts.

    Is there any difference between any of the following situations:<UL><LI>Moving the individual Users into the OU and leaving the Group where it is in "Users"<LI>Moving the Group into the OU, and leaving the Users where they are, in "Users"<LI>Moving both into the OU[/list]You may ask "why have a group at all?", and my answer would be "so that I don't have to change the Security Filtering in the Group Policy if a new user is added"...

    Any comments or better suggestions gratefully received!
    BATcher

    Mr Owl ate my metal worm

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    To prevent errors when adding a new user you want the choice that means you only have to add the users to one thing.

    Your first and third options require the users to be added to an OU and a group
    Your second option requires the users to just be added to the group

    Does this second option actually work correctly? If so then it looks like the best option to me.

    StuartR

  4. #3
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    Re: OUs, Groups and Users (2003SP2)

    Thanks, Stuart - I shall try the 'minimum effort' solution now, since it would seem that you don't foresee any problems with this.
    BATcher

    Mr Owl ate my metal worm

  5. #4
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    Re: OUs, Groups and Users (2003SP2)

    Hmmm. Unfortunately the Group Policy doesn't seem to be applied when just the group is moved to the OU - it seems you have to move the actual accounts to the OU.

    Yet another Group Policy thing that doesn't work the way that you (actually *I*) would expect!
    BATcher

    Mr Owl ate my metal worm

  6. #5
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    I was about to post a reply saying that I suspected moving the group to the OU might not actually work!

    StuartR

  7. #6
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    Re: OUs, Groups and Users (2003SP2)

    But surely it ought to work?!
    BATcher

    Mr Owl ate my metal worm

  8. #7
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    GPOs are applied to users based on the Domain and OU membership. Security groups can then be used to further control this by preventing the GPO from applying to particular users.

    The normal way to achieve what I think you want is to apply the GPO at the domain level and then use the Group membership to control which users it actually applies to.

    Is there a reason you can't do it this way?

    StuartR

  9. #8
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    Re: OUs, Groups and Users (2003SP2)

    The main reason is ignorance!

    I want a specific group policy to apply only to some users who log on to a terminal server, and not anywhere else. Having read quite a lot of usually irrelevant Stuff about group policy, and even understanding a percentage of it, this is the only way that seems to work! (If it wasn't so tedious setting up all the registry values in the relevant HKU entry, I'd do it there...)
    BATcher

    Mr Owl ate my metal worm

  10. #9
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    I think that this is what loopback processing is intended for.
    <UL><LI>Put the terminal servers into an OU (or Domain)
    <LI>Apply your GPO to that OU (or domain)
    <LI>Assign your users to a group
    <LI>Make sure that only that group is able to access the GPO
    <LI>Enable loopback processing so that the User attributes of this GPO override any other user attributes from other GPOs already applied[/list]StuartR

  11. #10
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    Re: OUs, Groups and Users (2003SP2)

    It was the nonworkingness of loopback that made me move the users into the OU!
    BATcher

    Mr Owl ate my metal worm

  12. #11
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: OUs, Groups and Users (2003SP2)

    That is very strange. The steps I described above worked last time I tried this, but that was with a Windows 2000 domain a few years ago.

    StuartR

  13. #12
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    2,801
    Thanks
    18
    Thanked 106 Times in 100 Posts

    Re: OUs, Groups and Users (2003SP2)

    To be honest, Stuart, I've spent so much unproductive time on what should have been a (fairly) trivial problem that, having found a way that works, I'm going to stick with it. Life is too short to investigate all the possibilities of something where one's grasp of the material is so tenuous! (Maybe if I was younger...)
    BATcher

    Mr Owl ate my metal worm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •