Re: help on GPO and group

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Ken Aldrich" <supportw@xxxxxxxxxxxxxxx>
Date: Mon, 9 Apr 2007 17:14:10 -0500

Everything that Roger said is correct. Let me try to place it in simpler
terms for you.

Edit the GPO and go to Properties. Now go to the security tab. You may
notice you can have some control over the "Apply Group Policy" permission.
You should adjust the permissions in this access control list such that only
the users in your group have the "Apply Group Policy" permission. To do
this add the group to the access control list and grant them the "Apply
Group Policy" permission. Now, remove the "Apply Group Policy" permission
from any users or groups that you do not want to have to policy applied to.
Link the GPO to the OU that has all of your users in it (the users you had
originally added to the new security group that you created).

You might also want to do a little cleanup. Move the security group that
you created into the OU that you would normally keep such a group in. Now
you may remove that extra OU you created.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:%238qhEedeHHA.4032@xxxxxxxxxxxxxxxxxxxxxxx

"Aviad" <aviad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%233W1AJbeHHA.4868@xxxxxxxxxxxxxxxxxxxxxxx

I added a new OU and put in a global security group.
i added a few users to the group.
when i set apolicy on this OU ( with only this group in it) nothing
happens
but if i put the users in the group in the OU it works fine....

cant i run a policy on a group?!

What you report is expected behavior.
A linked GPO affects only computer and/or user objects
that are with its scope (based on where it is linked).
Groups are used in group policy to filter to which of the
objects within the GPO's scope the GPO is apply. The
default security group filtering is Authenticated Users,
which means any and all users and computers within
the scope of the GPO's linkage.
See referemces at www.microsoft.com/gp

References:
- help on GPO and group
  - From: Aviad
- Re: help on GPO and group
  - From: Roger Abell [MVP]

Prev by Date: Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
Next by Date: Questions about domain password policies
Previous by thread: Re: help on GPO and group
Next by thread: Re: Temporary Access
Index(es):
- Date
- Thread

Relevant Pages

Re: GPO testing
... Group policy actually has nothing to do with groups. ... NOT work if user account is not in OU where GPO is linked? ... I put the users into a security group under the OU. ... - In Active Directory Users and Computers created an OU under the ...
(microsoft.public.windows.group_policy)
Re: GPO testing
... If I go into Active Directory Users and Computers -> Users and right click on a user and then go to "Add to group.." ... Group policy actually has nothing to do with groups. ... GPO will NOT work if user account is not in OU where GPO is linked? ... I put the users into a security group under the OU. ...
(microsoft.public.windows.group_policy)
Re: GPO testing
... Here are the steps I used to create and link the GPO: ... Placed two users in the security group Test Group. ... Went to GPMC and right clicked on Group Policy Results and selected ... Test Group on my XP workstation. ...
(microsoft.public.windows.group_policy)
Re: Security Groups in OUs
... > APPLY GROUP POLICY rights to the GPO. ... > Let's say that you have an OU in which there are 55 user account objects. ... If one does not already exist, create a security group that ...
(microsoft.public.win2000.group_policy)
Re: TS Security settings
... Essentially you are using GPO Loopback Processing in replace mode. ... Authenticated Users from the security and replace it with a security group ... > Why do you have the Terminal Server in the group policy? ...
(microsoft.public.windows.terminal_services)