none
Moving users to different OU but keeping GPOs

    Question

  • Hi

    IT management wants to move users from their current organizational units over to a new OU structure within the AD.


    Main problem is that users will end up in different organizational units so I can't just assign the GPOs to the target folder as it will hold other accounts too.

    How can I do this while keeping the same GPOs applied to the users?

    Thank you



    • Edited by Kman2k Friday, October 7, 2016 12:54 PM
    Friday, October 7, 2016 12:47 PM

Answers

  • Hi,
     
    Am 07.10.2016 um 14:47 schrieb Kman2k:
    > IT management wants to move users from their current organizational
    > units over to a new OU structure within the AD.[...] How can I do
    > this while keeping the same GPOs applied to the users?
     
    You can not, without a lot of work.
     
    The GPO ist linked to the OU and written to the gPLink attribute of a
    OU. Moving a user/computer from one OU to another will not efect the gPLink.
     
    Your AD layout is the problem in your case.
    You want a "objectbased AD layout" but you probably run a
    "delegated/site based AD layout".
     
    The only solution is re-arange your structur or the more complicated one is:
    - per GPO create security filters per OU wherer they are linked to
    - integrate all users in there "OU-SecGroup"
    - Link the GPOs in the right order to the destination OUs or on TOP of
    the OUs.
    - move users
     
    Because of the security filter, only the "old" GPOs will apply.
     
    Idea:
    change AD design to objectbased OU structure, link GPOs to the main
    "Users" filter them by security groups. Beneeth the "Users" you can
    create a sitebased or delegated AD layout.
    When moving Users in this layout, all GPOs will still apply.
     Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Tuesday, October 11, 2016 10:08 AM

All replies

  • Is Group based filter an option for you?

    https://msdn.microsoft.com/en-us/library/aa373513(v=vs.85).aspx


    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    My Books: | Windows Server Security | Windows Server 2012

    Blogs | Twitter | LinkedIn | Facebook|

    This posting is provided AS IS with no warranties, and confers no rights.

    Sunday, October 9, 2016 8:37 PM
  • Hi,

    According to my research, the current GPOs that are linked to the OU will still be linked/maintained after you move them so it shouldn't break anything. You can run a quick test with some test OUs to check.

    Please check the below similar thread:

    Moving an OU with a GPO....

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b205a697-ab0a-4ab9-806b-f6ea7d32443d/moving-an-ou-with-a-gpo?forum=winserverDS 

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 6:55 AM
    Moderator
  • Hi

    1. Answer to Santhosh: Thanks.  I think that is the route I have to take.  Couldn't find any other way

    2. Answer to Alvwan: I am not moving the OUs.  I am moving the users within those OUs to different OUs and want to preserve their GPOs.  Thanks but that is not the answer.

    Thank you both again

    Monday, October 10, 2016 9:35 PM
  • Hi,

    It's my mistake, I haven't read your requirement carefully. I did some research but no progress, it seems that Group based filter is the only way here.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 11, 2016 8:18 AM
    Moderator
  • Hi,
     
    Am 07.10.2016 um 14:47 schrieb Kman2k:
    > IT management wants to move users from their current organizational
    > units over to a new OU structure within the AD.[...] How can I do
    > this while keeping the same GPOs applied to the users?
     
    You can not, without a lot of work.
     
    The GPO ist linked to the OU and written to the gPLink attribute of a
    OU. Moving a user/computer from one OU to another will not efect the gPLink.
     
    Your AD layout is the problem in your case.
    You want a "objectbased AD layout" but you probably run a
    "delegated/site based AD layout".
     
    The only solution is re-arange your structur or the more complicated one is:
    - per GPO create security filters per OU wherer they are linked to
    - integrate all users in there "OU-SecGroup"
    - Link the GPOs in the right order to the destination OUs or on TOP of
    the OUs.
    - move users
     
    Because of the security filter, only the "old" GPOs will apply.
     
    Idea:
    change AD design to objectbased OU structure, link GPOs to the main
    "Users" filter them by security groups. Beneeth the "Users" you can
    create a sitebased or delegated AD layout.
    When moving Users in this layout, all GPOs will still apply.
     Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Tuesday, October 11, 2016 10:08 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 14, 2016 8:27 AM
    Moderator