| Author |
 Topic  |
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
 Posted - 06/28/2010 : 3:48:42 PM
|
Using Users and Computers and GPMC:
Create an OU
Create a GPO and link to OU
This is a User Configuration GPO
Add users to an OU
do the gpupdate on both client and server
GPO is not in affect?
If I add the same users also to the Security Filter, GPO works?
1. If the GPO is a user configuration GPO, does it make sense to place computers into the OU?
2. Does one always have to specify the security filter as well?
Thanks
douglaslsd
|
|
|
JSCLMEDAVE
Administrator
USA
4818 Posts
Status: offline |
Posted - 06/28/2010 : 3:52:30 PM
|
| Hello Douglas... Can you be more specific on exactly what User setting you are trying to deploy? What is the location of the setting in GPMC? |
Tim-
"Will the woman who left her 9 kids at Wrigley field please come and claim them? - they're beating the Cubs 5-0"
|
 |
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/28/2010 : 4:59:33 PM
|
Thanks for the reply.
There are too many settings to enumerate.. but I can say that is for testing, if I place a user or users in the OU that the GPO is linked to, and if I also place thsoe same users in the Security Filter it works.
Can one not use security groups for the security filter and also to place in OU?
Thanks ahead of time
douglaslsd |
|
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/28/2010 : 6:04:50 PM
|
I have found according to Marks book that security groups can be used and included in the Security filtering. The only place in question then is use of a security group inside an OU. That is the only place I can then see where it would break
Thanks
Steve |
|
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/28/2010 : 7:03:53 PM
|
I have narrowed it down to this.
I can use security groups for Security Filtering just as Mark states in his book.
The problem I have found is when I also use that same security group inside the OU that the GPO is applied.
The policy settings do not get applied when I use a security grup within the OU.
I guess one cannot do that?
douglaslsd |
|
|
|
Playwell
Honorable But Hopeless Addict
Netherlands
4112 Posts
Status: online |
Posted - 06/29/2010 : 07:26:00 AM
|
The placement of the group in ADU&C has nothing to do with GPO security filtering.
|
'People who think they know everything are a great annoyance to those of us who do. '
Quote by Isaac Asimov |
|
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/30/2010 : 11:40:52 AM
|
Okay I am still having the problem. Let me try to explain better.
I have an OU that contains a computer account (Vista). I have a simple GPO linked to that OU.
GPO is User Configuration policy "Hide drives"
Security group TestGPO has 5 user members. The SG and the user's objects are in the Users cotainer. I am using the TestGPO security group in the GPO security filtering.
Desired Result: I want when anyone from that security group logs into that computer, that GPO is applied.
The GPO does not work unless I place the user objects in the OU or if I link the GPO to an OU that contains the users.
Please. Any thoughts or suggestions. I just want the logins on specific computers to recieve "user configuration policy settings.
Thanks
Douglaslsd
|
|
|
|
wkasdo
Administrator
Netherlands
6255 Posts
Status: online |
Posted - 06/30/2010 : 11:57:46 AM
|
> I want when anyone from that security group logs into that computer, that GPO is applied.
Put the computer account in scope of that GPO, and set loopback. |
|
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/30/2010 : 12:51:47 PM
|
Now I can see where one can get frustrated with GPO processing.
I do believe your answer is the correct one... ..but for some reason after I added the loopback policy, made sure the computer is in the OU that the GPO is linked with, did an gpupdate, and made sure the users were in the security foltering security group... I logged on but .... settings still not working.
I am still going at it but any additional thoughts would be greatly appreciated
douglaslsd |
|
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/30/2010 : 1:07:45 PM
|
Well maybe this is why it is still not working???
I just read the entire description of the Loopback policy setting:
"Note: This setting is effective only when both the computer account and the user account are in Windows 2000 domains."
What if the Domain is a 2003 or in my case a 2008 domain? |
|
|
|
wkasdo
Administrator
Netherlands
6255 Posts
Status: online |
Posted - 06/30/2010 : 1:37:16 PM
|
| That's just nonsense. 2008 will do just fine. |
|
|
|
Playwell
Honorable But Hopeless Addict
Netherlands
4112 Posts
Status: online |
Posted - 06/30/2010 : 3:17:46 PM
|
one hint: Do NOT filter the policy on the local administrators group.
The 'system' account is secretly member of this group, and policies do not apply then. |
'People who think they know everything are a great annoyance to those of us who do. '
Quote by Isaac Asimov |
|
|
|
wkasdo
Administrator
Netherlands
6255 Posts
Status: online |
Posted - 06/30/2010 : 4:14:34 PM
|
If it's still not working, try loopback without security filtering first. Also, use replace mode to verify that the setting works. After that play around with merge mode. That's more complicated because other GPO's with conflicting settings may interfere.
Finally, use GPMC to find out which GPO's are applying, and which settings are set by which GPO. |
|
|
|
JSCLMEDAVE
Administrator
USA
4818 Posts
Status: offline |
Posted - 06/30/2010 : 4:17:22 PM
|
| Also "just in case"... You are running gpupdate from the client and not the server correct..? I had a brain cramp one time and made that mistake.. |
Tim-
"Will the woman who left her 9 kids at Wrigley field please come and claim them? - they're beating the Cubs 5-0"
|
|
|
|
Douglaslsd
Welcome Newcomer
USA
24 Posts
Status: offline |
Posted - 06/30/2010 : 8:45:07 PM
|
Thanks all!
Your answers have been perfect and greatly beneficial.
I found my problem. My home test domain has a DFRS problem big time. I am able to get the results as long as the clients are pointed to DC\DNS server that is working properly. (and yeah the company I work for gives out millions of dollars in bonuses to the big people, but cant afford to allow us to have test domains for our big contracts.)
Anyway, I am still having one last issue and it could be my domain as well.
Am I correct in discerning that even when using loopback, can one still use a security group for the security filter? It does not appear to work even with some of my domain corrections.
Thanks again |
|
|
|
wkasdo
Administrator
Netherlands
6255 Posts
Status: online |
|
| |
Topic |
|
GPO to an OU
