locked
Group policy on Security Group RRS feed

  • Question

  • Hi,

    i am looking for applying a group policy to a group. Group members are exists at different OU's. & Each OU has own policy applied on it.

    Is it possible? I am on Windows server 2008 R2 DC. Domain/Forest functional level 2003.

    Wednesday, November 7, 2012 5:59 PM

Answers

  •  
    > i am looking for applying a group policy to a group. Group members are
    > exists at different OU's. & Each OU has own policy applied on it.
     
    Opposite to the name, "Group policies" do NOT apply to groups - they
    only apply to accounts (users or computers) that are in the scope of the
    GPO. Security filtering just adds an additional layer of targeting.
     
    So if the users you are targeting are spread over various OUs, the GPO
    has to be linked "above" all of them in AD, which could mean "at domain
    level" (not best practice, btw.). And to make your GPO apply only to the
    users in question, put them all in a group and add this group to the GPO
    security filter (remove Authenticated Users, of course).
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Proposed as answer by Cicely Feng Thursday, November 8, 2012 2:47 AM
    • Marked as answer by Exchange_support Thursday, November 8, 2012 9:35 AM
    Wednesday, November 7, 2012 7:52 PM

All replies

  • You have a couple of options when using security group filtering with a GPO where the members are in different OUs:

    1. Link the GPO at the domain level. As long as you do not block Group Policy inheritance at any of the OUs this should work.

    2. Link the GPO individually to all the OUs where the group members exist


    Alexei

    Wednesday, November 7, 2012 6:38 PM
  •  
    > i am looking for applying a group policy to a group. Group members are
    > exists at different OU's. & Each OU has own policy applied on it.
     
    Opposite to the name, "Group policies" do NOT apply to groups - they
    only apply to accounts (users or computers) that are in the scope of the
    GPO. Security filtering just adds an additional layer of targeting.
     
    So if the users you are targeting are spread over various OUs, the GPO
    has to be linked "above" all of them in AD, which could mean "at domain
    level" (not best practice, btw.). And to make your GPO apply only to the
    users in question, put them all in a group and add this group to the GPO
    security filter (remove Authenticated Users, of course).
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Proposed as answer by Cicely Feng Thursday, November 8, 2012 2:47 AM
    • Marked as answer by Exchange_support Thursday, November 8, 2012 9:35 AM
    Wednesday, November 7, 2012 7:52 PM