RE: GPO not being applied to OU

Tech-Archive recommends: Fix windows errors by optimizing your registry

if you're trying to target computer accounts with computer specific policies
in the GPO you absolutely have to link to the computer OU or the parent OU
above it. Don't forget to put the authenticated users Read and Apply Group
policy permission back in, or it will not apply to the computers. Don't worry
about "guest" users from other OUs, the user policies will not apply to them
unless they are in an OU that has the GPO linked to it. good luck.

"Mike W" wrote:

> We figured that the computers were part of the "authenticated users" group.
> But we didn't try linking the GPO to the "workstations OU" as yet. Will try
> that later when most of the users aren't online, just in case murphy decides
> to visit me again this week.
>
> Thanks for the info. GPO is starting to become clear in my mind..... ok, no
> it's not heheh
>
> "Dave" wrote:
>
> > although you wouldn't think so, authenticated users also contains computer
> > accounts as well. when the computer that is part of the domain boots up, it
> > actually authenticates with a local domian controller. this then makes it a
> > member of the authenticated users group. I am looking for information on this
> > "Special Identity Group" but having a hard time finding it. and yes,
> > "visiting users" from another OU would have permission to have the GPO
> > applied (because as you stated they are in teh authenticated users group) but
> > it won't apply because they aren't in the OU itself.....it would never
> > attempt to apply it to them.
> >
> > After reading
> > your scenario again though, it sounds like you are applying the GPO only to
> > the users OU...only user settings will affect that OU and its users, computer
> > settings will be ignored (assuming there are no computer accounts in
> > it)....you will need to also link the GPO to the computers OU (or created a
> > new GPO with computer settings and link it).
> >
> >
> > "Mike W" wrote:
> >
> > > I was under the impression that "authenticated users" meant everyone that was
> > > authorized to logon the network, regardless of what OU they belong to. All
> > > the reference material I have read leans towards that line of thought,
> > > although none of them seem to state it directly.
> > >
> > > "Dave" wrote:
> > >
> > > > I believe you need to readd authenticated users, as that would include the
> > > > computer accounts that you wish to apply it to. visitors from other OUs will
> > > > not have user policies applied, as they only apply to users within the OU you
> > > > link the GPO to. remember that computer GPO settings will only apply to
> > > > computer accounts and the GPO must be linked to the OU that contains the
> > > > computer accounts.
> > > >
> > > > "Mike W" wrote:
> > > >
> > > > > We have a GPO setup in an OU with the following child OUs: Users,
> > > > > Workstations. The GPO is being applied to the users, but not the
> > > > > workstations. rsop.msc shows only the local policy in place for the computer
> > > > > configuration section of the policy. gpresult.exe says "not applied (reason
> > > > > unknown)" for the computer configuration.
> > > > >
> > > > > In looking at security settings for the GPO, Authenticated users was removed
> > > > > and replaced with the group containing the users listed in the Users OU.
> > > > > This was done to prevent the policy from being applied to "visitors" from
> > > > > other OUs. But by doing this, didn't we end up excluding the computers in
> > > > > our OU as well? If so, how would we repair this? Link the GPO to the
> > > > > Workstations OU? Change the security setting on the parent OU for the GPO?
> > > > > Would this include having to create a security group with all the computers
> > > > > listed?
> > > > >
> > > > > Thanks for the enlightenment.
.

Relevant Pages

  • Remove Add or Remove Programs GPO Question
    ... Programs" GPO but with the following stipulations: ... I have created an OU with the desktop computer accounts and an OU with the ... Authenticated Users - Allow Apply Group Policy ...
    (microsoft.public.windows.server.active_directory)
  • RE: GPO UPdate ??
    ... I went to client and did the gpupdate /force and I did that at the server ... On this same thread I am trying to add more items to my gpo. ... Do I need the same In the Security Filtering list, Authenticated Users? ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: GPO not being applied to OU
    ... accounts as well. ... member of the authenticated users group. ... "visiting users" from another OU would have permission to have the GPO ... the users OU...only user settings will affect that OU and its users, ...
    (microsoft.public.windows.group_policy)
  • Re: Group Policy Applying sequence and result
    ... If you configureAD sites and subnets the machine belong to one site where a gpo is linked to ... Authenticated users includes all users whose identities were authenticated when they logged on. ... displaying how GPOs flow with an inheritance example question/answer ...
    (microsoft.public.windows.server.active_directory)
  • RE: GPO UPdate ??
    ... I went to client and did the gpupdate /force and I did that at the server ... On this same thread I am trying to add more items to my gpo. ... Do I need the same In the Security Filtering list, Authenticated Users? ...
    (microsoft.public.windows.server.sbs)