|
I
think the key point for Chris is that the GPO must be linked to a Site, Domain,
or OU where the user exists if it is to have any bearing on that
user. You can filter by group to prevent a given GPO from being
applied, but only if it WOULD have been applied in the absence of such a
filter.
Dave
So,
in that envrionment, the GPO's applied to the OU's holding Groups would never
be applied to anything.
--------------------------------------------------------------
Roger D. Seielstad
- MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
Let me give more info as to why I'm asking this question. The idea
has been floated of putting all of our user accounts (>20,000) into one
OU. Other OU's would exist, where groups would reside. Access would be give
to 40-50 different OU admins to the primary User OU, and they would
determine who they would put into their own groups. From there, GPO's would
be applied to the OU's by the OU admin, with the GPO being applied to the
group members (which everyone here says is impossible).
I
have a headache just thinking of this because of having 40-50 people having
access to all user accounts and trying to make sure they only touch what
they are supposed to touch, etc. I'm supposed to find all possible reasons
why not to do this. So, I ask questions.....
Chris Flesher
The University of
Chicago
NSIT/DCS
1-773-834-8477
To make this
clear to everyone.
Yes a user can be
in more than one group. The question you are asking is can a GPO be
applied to a groups? - NO
Read MS article
322176: http://support.microsoft.com/?kbid=322176
Hope that this
helps,
Jason
Crenshaw
Sandia National
Laboratories
____________________________________________________________________________________________________________________________
Short
Answer:
NOTE:
GPOs are applied only to sites, domains, and organizational units. Group
Policy settings affect only the users and the computers that they contain.
Specifically, GPOs are not applied to security groups.
The
location of a security group in Active Directory does not affect filtering
through that security group as it is described in this procedure.
If a user or a computer is not contained in a site, a domain, or
an organizational unit that is subject to a GPO either directly through a
link, or indirectly through inheritance, you cannot set any combination of
permissions on any security group to make those Group Policy settings
affect that user or computer.
Filtering at the GPO level, as it is
described in this procedure, causes the GPO to be processed or not
processed as a whole. The Software Installation extension and the Folder
Redirection extension use security groups to refine control beyond the GPO
level. Except for Folder Redirection and Software Installation, security
groups are not used to filter individual settings or subsets of a GPO. For
control over individual settings, edit or create a GPO
instead.
-----Original
Message-----
From: Chris
Flesher [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 12:18
PM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group Policy
question
a
user can be a member of more then one group. if a user is a member of two
groups that are in seperate OU's, then the user can have group policy
applied to two seperate groups based on ACL's within each OU? I don't need
an object existing in two seperate OU's. I just need two seperate groups
with a user being in each group, with each group in seperate OU's.
Chris
Flesher
The University of
Chicago
NSIT/DCS
1-773-834-8477
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw,
Jason
Sent: Monday,
July 21, 2003 12:38 PM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question
What is group policy or a GPO?
Group policy
is a new Windows term for common configuration settings. An
administrator can create a group policy which applies to users or
computers. This group policy can set certain computer settings such as
who can login to the computer or user settings such whether the user can
run control panel applets. Group policy is similar to what was called
policy in NT4, but there is a vastly improved performance together with
a greater number of common configuration settings. A GPO, or group
policy object, is a set of settings applied to a site, domain or OU
container. The GPO then is applied to every machine or user object under
that container. One can configure a GPO with ACLs to restrict the
computers or users to which it is applied.
This also
suggests that it is technically impossible to do since a user object can
only exist in one container or OU.
Hope that this
answers your question.
Jason
-----Original
Message-----
From:
Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 11:29
AM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question
I
believe there's nothing in TechNet on it because its technically
impossible to do. You can't have an object in more than one
OU.
--------------------------------------------------------------
Roger D.
Seielstad - MTS MCSE MS-MVP
Sr. Systems
Administrator
Inovis
Inc.
-----Original
Message-----
From:
Chris Flesher [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 12:49
PM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question
Guido, that's
not quite what I had in mind. Two OU's that are not hierarchical to
each other. It could be a flat OU architecture. Two seperate OU's that
have gpo's applied to a group. If a user is a member of both groups,
which gpo will take precedence? Maybe it's a dumb question but it was
posed to me by a higher up and I can't find anything about this
scenario in technet.
Chris
Flesher
The
University of Chicago
NSIT/DCS
1-773-834-8477
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Monday, July 21, 2003
10:43 AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question
I guess
you're using the groups to filter for whom a GPO is applied -
but you're not applying a GPO to a group ;-) It doesn't matter
which OU the group resides in, it simply matters, which OU the
respective GPO is applied to.
Assuming
you're talking about applying two GPOs to the same OU - each with a
separate Group used for filtering, then you can set the priority of
the GPO processing order directly on the OU on the Group Policy
tab.
From: Chris Flesher
[mailto:[EMAIL PROTECTED]
Sent: Montag, 21. Juli 2003
17:18
To:
[EMAIL PROTECTED]
Scenario: a
user is a member of two groups. Each group is in a seperate OU. A
gpo is applied to each group. Which gpo will take precedence for
that user? In other words, which will be the last to be applied and
get the settings applied to that user?
Chris
Flesher
The
University of Chicago
NSIT/DCS
1-773-834-8477
|
