none
Unable to apply GPO to computers within a security group

    Question

  • Hi all,

    I tried searching for solution but I haven't found anything so far.

    I'm running Win server 2003 and I linked a software deploy policy to an OU containing a global security group with 10 member computers.  On the GPO security filtering, I have removed the authenticated users and added the computer group (which have read and apply group policy rights).  I also rebooted both domain controllers (one at a time).

    The problem I'm having is the software I'm trying to deploy remotely isn't applying to the member computers. When I have the authenticated users added to GPO's security filtering and move the computer directly to the OU, the installation works.  I'm not sure why the GPO isn't applying to the computers in the security group.

    Appreciate any help.

    Thanks,

    Thursday, November 22, 2012 9:26 PM

All replies

  • GPOs do NOT apply to groups - the computers themselves have to be in the scope of management (means "the OU you linked the GPO to"). The name "Group Policy" is misleading in that case...

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    Thursday, November 22, 2012 9:32 PM
  • Hi,

    Member computers should be put into OU directly which the GPO linked to. GPO could only be linked to domain, site or OU, never a group. Security filtering just adds an additional layer of targeting.

    Regards,
    Cicely


    Friday, November 23, 2012 3:19 AM
    Moderator
  • Thanks for the quick replay guys.

    I understand that you cant apply a gpo to a group directly, which is why i applied it to the OU which contains my computer group. Shouldn't it work like a kind of shortcut linking the member computers to that specific OU?

    Maybe a better question would be how can I deploy software over the network to computer security groups.  I'm trying to have all computers in a single OU but I want to deploy software to individual groups. For example Marketing Computer Group will have a different set of software deployed than Accounting Computer Group.

    Tuesday, November 27, 2012 8:38 PM
  • AFAIK ,You have to create multiple GPO for each department link them with security filtering.Keep remember GPO will be applied on computers accounts only not on any group but we are using groups for filtering purpose. 

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Wednesday, November 28, 2012 3:12 AM
  •  
    > I understand that you cant apply a gpo to a group directly, which is
    > why i applied it to the OU which contains my computer group. Shouldn't
    > it work like a kind of shortcut linking the member computers to that
    > specific OU?
     
    No it shouldn't. Groups only add an additional layer of filtering, but
    the targeted account (computer or user) HAS to be in the OU.
     
    > Maybe a better question would be how can I deploy software over the
    > network to computer security groups.  I'm trying to have all computers
    > in a single OU but I want to deploy software to individual groups. For
    > example Marketing Computer Group will have a different set of software
    > deployed than Accounting Computer Group.
    >
     
    Then deploy individual GPOs, and add the groups in question to the GPO
    security filter (remove AuthUsers, of course).
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, November 28, 2012 1:25 PM

  •  Then deploy individual GPOs, and add the groups in question to the GPO
    security filter (remove AuthUsers, of course).
     
    regards, Martin
     

    This is what I have setup.

    Sales_GPO linked to Sales OU.  Sales_OU contains a security group called Sales_Computers.  Sales_GPO has Sales_Computer added to the security filter.  The server was rebooted too.  Beyond this I don't know what else I need to do to get this working.

    Friday, November 30, 2012 5:19 PM
  •  
    > Sales_GPO linked to Sales OU.  Sales_OU contains a security group
    > called Sales_Computers.  Sales_GPO has Sales_Computer added to the
    > security filter.
     
    And WHERE are the computers themselves? As long as they are NOT within
    Sales_OU, your GPO will not apply because it simply is out of scope...
    GPOs do not apply to groups (despite the name), they only apply to users
    or computers. Groups just add an additional layer of filtering through ACLs.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, December 04, 2012 9:45 PM