Re: Security Groups in OU

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 00:15:14 -0700

"Louie See" <louiesee@yahoo.com> wrote in message
news:%23rbYAKxiEHA.1048@tk2msftngp13.phx.gbl...
> Hello All
>
> Can a security group be in an OU and have a GPO linked to it? We tried
this

GPOs are only "linked to" site, domain, or OU objects.

> scenario but only some of the GPO settings are pulled. If we place a
> member(as a test) of the security group in the same OU , all the seetings
> are pulled and working correctly.

Expected behavior.
GPOs are applied to user and/or computer objects within
scope of where the GPO is linked.
Groups in the scope (as the group in the OU you mention) are irrelevant.
GPOs have a security list where grants of Read+Apply control which
user and/or computer object with the GPO's scope actually will have
the GPO applied to them. This is the only place the security groups
come into play for controlling application of GPOs.

> There are quite a bit of members in a
> number of security groups for us to sort one at a time.
>
> If GPO policy cannot be applied via a security group in an OU, is there a
> quick way we can list all the members of a security group and maybe do a
> drag and drop to the proper OU.
>
A Brian suggested, consider linking at a higher level, and using
security group filtering to control application of the GPO.
Since you said some things were applied before you moved the user
into the OU, I infer that you have both computer and user policies set
in this GPO. Hence, if you move it to a higher level, and then in the
security of the GPO remove Authenticated Users and replace this with
two grants of Read+Apply, one to Domain Computers and one to your
custom group of users, then you will have the net effect you are after.

You can inquire membership of a group with script, and then move
the user objects. This is however the knee-jerk response, as the next
time you want a set of policies in a GPO to be applied, and it is a
different collection of users in another custom group, then what to do?
You cannot move users without a plan as to how best to structure things.
> Thanks!
>
> 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA

Relevant Pages

  • Re: Security Filtering in Group Policy
    ... and a few other things - like group nesting and Universal Security Group). ... > the computer objects are in the same OU that I am linking ... > the GPO to. ... >>computer accounts this GPO is applied might lead me to ...
    (microsoft.public.win2000.active_directory)
  • Re: Block GPO on IP address
    ... a vanilla suggestion that you create a Site GPO for the software deployment. ... Server and use Security Group Filtering (whereby you remove the ... Authenticated Users from the Security Tab and create a Security Group and ... Let's look at the Zuerich, ...
    (microsoft.public.win2000.group_policy)
  • Security Filtering in Group Policy
    ... this group Read and Apply group policy rights to the GPO ... -Added the computer objects that I wanted to apply the ... into the Hotfix security group ...
    (microsoft.public.win2000.active_directory)
  • Re: Internet restriction
    ... And the security group that you would use in the Group Filtering would be ... Because we want the members of this ... Authenticated Users group from the Security Tab on the GPO and replace it ... >> OU that contains all of your user account objects. ...
    (microsoft.public.win2000.group_policy)
  • Re: Security Groups in OU
    ... >> Can a security group be in an OU and have a GPO linked to it? ... > GPOs are applied to user and/or computer objects within ... >> quick way we can list all the members of a security group and maybe do a ...
    (microsoft.public.windows.group_policy)
Loading