Sign in with
Sign up | Sign in
Your question

Assigning GP's to OU's

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
November 1, 2004 4:13:04 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I want to be able to assign a Group Policy to an OU, but prefer to put a
Security Group into that OU rather than all of the individual users. Can
Group Policies be assigned that way or does the user object need to be within
the OU to be assigned the policy?

More about : assigning

Anonymous
a b 8 Security
November 2, 2004 12:07:58 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

GPO's only apply to user or computer objects. You can't apply them based on
the OU membership of groups. You can however filter the application of
these GPO's to users by changing the security on the GPO to deny "Apply
Group Policy". For example, you may have a domain level policy that you'd
like to have applying to all users except Domain Admins. In this case you'd
set security so that Domain Admins are denied "Apply Group Policy".

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"kevdmcse" <kevdmcse@discussions.microsoft.com> wrote in message
news:11FC37BE-282E-4156-AB1D-F3BF69EA5520@microsoft.com...
>I want to be able to assign a Group Policy to an OU, but prefer to put a
> Security Group into that OU rather than all of the individual users. Can
> Group Policies be assigned that way or does the user object need to be
> within
> the OU to be assigned the policy?
Anonymous
a b 8 Security
November 2, 2004 12:07:59 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Another way to filter with security groups is to deselect the default "Apply
Group Policy" for authenticated users, add the group you actually want to
apply it to and tick the box for this group.

Oli



"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:o 4JNC9FwEHA.2908@tk2msftngp13.phx.gbl...
> Hi
>
> GPO's only apply to user or computer objects. You can't apply them based
> on the OU membership of groups. You can however filter the application of
> these GPO's to users by changing the security on the GPO to deny "Apply
> Group Policy". For example, you may have a domain level policy that you'd
> like to have applying to all users except Domain Admins. In this case
> you'd set security so that Domain Admins are denied "Apply Group Policy".
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "kevdmcse" <kevdmcse@discussions.microsoft.com> wrote in message
> news:11FC37BE-282E-4156-AB1D-F3BF69EA5520@microsoft.com...
>>I want to be able to assign a Group Policy to an OU, but prefer to put a
>> Security Group into that OU rather than all of the individual users. Can
>> Group Policies be assigned that way or does the user object need to be
>> within
>> the OU to be assigned the policy?
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
a b 8 Security
November 2, 2004 12:08:00 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I was afraid that would be the answer. I have a domain with hundreds of users
and I wanted to organize them into seperate OU's based on Job function But
than some users might need to have a policy applied that is from a different
OU. It just makes it a little more complicated than it would be if you could
assign policy at th group level.

"Oli Restorick [MVP]" wrote:

> Another way to filter with security groups is to deselect the default "Apply
> Group Policy" for authenticated users, add the group you actually want to
> apply it to and tick the box for this group.
>
> Oli
>
>
>
> "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
> news:o 4JNC9FwEHA.2908@tk2msftngp13.phx.gbl...
> > Hi
> >
> > GPO's only apply to user or computer objects. You can't apply them based
> > on the OU membership of groups. You can however filter the application of
> > these GPO's to users by changing the security on the GPO to deny "Apply
> > Group Policy". For example, you may have a domain level policy that you'd
> > like to have applying to all users except Domain Admins. In this case
> > you'd set security so that Domain Admins are denied "Apply Group Policy".
> >
> > Kind regards
> > --
> > Mark Renoden [MSFT]
> > Windows Platform Support Team
> > Email: markreno@online.microsoft.com
> >
> > Please note you'll need to strip ".online" from my email address to email
> > me; I'll post a response back to the group.
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> > "kevdmcse" <kevdmcse@discussions.microsoft.com> wrote in message
> > news:11FC37BE-282E-4156-AB1D-F3BF69EA5520@microsoft.com...
> >>I want to be able to assign a Group Policy to an OU, but prefer to put a
> >> Security Group into that OU rather than all of the individual users. Can
> >> Group Policies be assigned that way or does the user object need to be
> >> within
> >> the OU to be assigned the policy?
> >
> >
>
>
>
Anonymous
a b 8 Security
November 2, 2004 9:11:24 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That shouldn't be a problem. If you use filtering on security groups and
link the GPO as high up in the OU structure as it needs to be to affect all
the users, it should be fine. You can also link the GPO to multiple OUs
(although this is a bit messy). In this case, the security filtering
applies to the actual GPO and not to each individual link.

Regards

Oli


"kevdmcse" <kevdmcse@discussions.microsoft.com> wrote in message
news:BBE22F05-F060-4D11-932E-319F77271F26@microsoft.com...
>I was afraid that would be the answer. I have a domain with hundreds of
>users
> and I wanted to organize them into seperate OU's based on Job function But
> than some users might need to have a policy applied that is from a
> different
> OU. It just makes it a little more complicated than it would be if you
> could
> assign policy at th group level.
>
> "Oli Restorick [MVP]" wrote:
>
>> Another way to filter with security groups is to deselect the default
>> "Apply
>> Group Policy" for authenticated users, add the group you actually want to
>> apply it to and tick the box for this group.
>>
>> Oli
>>
>>
>>
>> "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
>> news:o 4JNC9FwEHA.2908@tk2msftngp13.phx.gbl...
>> > Hi
>> >
>> > GPO's only apply to user or computer objects. You can't apply them
>> > based
>> > on the OU membership of groups. You can however filter the application
>> > of
>> > these GPO's to users by changing the security on the GPO to deny "Apply
>> > Group Policy". For example, you may have a domain level policy that
>> > you'd
>> > like to have applying to all users except Domain Admins. In this case
>> > you'd set security so that Domain Admins are denied "Apply Group
>> > Policy".
>> >
>> > Kind regards
>> > --
>> > Mark Renoden [MSFT]
>> > Windows Platform Support Team
>> > Email: markreno@online.microsoft.com
>> >
>> > Please note you'll need to strip ".online" from my email address to
>> > email
>> > me; I'll post a response back to the group.
>> >
>> > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> >
>> > "kevdmcse" <kevdmcse@discussions.microsoft.com> wrote in message
>> > news:11FC37BE-282E-4156-AB1D-F3BF69EA5520@microsoft.com...
>> >>I want to be able to assign a Group Policy to an OU, but prefer to put
>> >>a
>> >> Security Group into that OU rather than all of the individual users.
>> >> Can
>> >> Group Policies be assigned that way or does the user object need to be
>> >> within
>> >> the OU to be assigned the policy?
>> >
>> >
>>
>>
>>
!