2003 Group Policies applying to individuals, not groups

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a stand alone test server running Win 2003. In addition to the
default domain policy, I have two other policies, STUDENTS and TEACHERS. I
also have two security groups, SchlStdn and SchlTeac

When I simply add user names to the security tab of the STUDENTS and
TEACHERS group polices, the proper policies are allowed.

When I add the students and teachers to the above listed groups, no policies
are applied. I removed the authenticated users from the security tab of the
two new policies and added the SchlStdn to the Students policy and SchlTeac
to the Teachers policy. Permissions in both cases are Read: Allow and Apply
Group Policy: Allow

I left the DEFAULT DOMAIN POLICY untouched.

Why are the policies applying for individuals and not groups?
1 answer Last reply
More about 2003 group policies applying individuals groups
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Because that's behavior by design. Group policy applies to individual
    objects in OU's... not the security groups. I'm not positive of the answer,
    but can only extrapolate that it's because a user may be part of more than
    one security group, thereby causing a conflict down the road of what policy
    is *supposed to apply to them.

    What I recommend is that you change up your OU structure a little. Here's
    what I'd do:
    Make a new OU (I do it right off the domain 'root', but don't know if that's
    a good practice to follow). Call it Students
    Make a new OU ---blah blah blah, call it Teachers
    Populate the OU's with the appropriate user accounts.
    Apply group policies to each OU as necessary.
    You can leave the permissions intact on the policies themselves, as you
    don't need to deny the policy to those who are not in the OU (not in the
    SOM - Scope of Management).

    You may need to put the computers into separate OU's, depending on what you
    want to do with them. Some schools have different 'desires' for the
    different sets of computers, and that design is up to you. Just remember,
    the security groups only come into play when you're changing the permissions
    on the policy object itself. Policies won't apply to security groups no
    matter how much you click and scream. ;-)

    HTH

    Ken


    "Peter Olmsford" <Peter Olmsford@discussions.microsoft.com> wrote in message
    news:DF5BD903-B78A-4B28-93AC-59D466799F3E@microsoft.com...
    >I have a stand alone test server running Win 2003. In addition to the
    > default domain policy, I have two other policies, STUDENTS and TEACHERS.
    > I
    > also have two security groups, SchlStdn and SchlTeac
    >
    > When I simply add user names to the security tab of the STUDENTS and
    > TEACHERS group polices, the proper policies are allowed.
    >
    > When I add the students and teachers to the above listed groups, no
    > policies
    > are applied. I removed the authenticated users from the security tab of
    > the
    > two new policies and added the SchlStdn to the Students policy and
    > SchlTeac
    > to the Teachers policy. Permissions in both cases are Read: Allow and
    > Apply
    > Group Policy: Allow
    >
    > I left the DEFAULT DOMAIN POLICY untouched.
    >
    > Why are the policies applying for individuals and not groups?
    >
Ask a new question

Read More

Policy Security Windows