Jump to content

Apply GPOs to Users Outside OU

Phyridean
 Share

Recommended Posts

Phyridean

Phyridean

Posted
Posted

My first post :)

Ok, the pertinent info. I'm administering an OU at my College for the Registrar's department. We have a child domain, which we no longer use, in favor of using an OU in the parent domain. All users that will be logging on are located in the parent domain.

Question: Is it possible to have a GPO in my OU which can apply to those users (the ones in the parent domain) without being able to directly administer the users themselves?

Link to comment
Share on other sites

Minus Human

Minus Human

Posted
Posted

Hello,

Ok from what i understand you have the OU representing the Child domain now as opposed to having a child domain of the root domain. is this correct ??

All users that will be logging on are located in the parent domain.

Question: Is it possible to have a GPO in my OU which can apply to those users (the ones in the parent domain) without being able to directly administer the users themselves?

No, you have to have the users in your OU for the Group Policy to Take effect.

Minus Human

Link to comment
Share on other sites
Minus Human

Minus Human

Posted
Posted

Phyridean, creating groups and placing them within the OU where the GPO is linked will not work. The user accounts need to be located inside the OU. If you need to grant permissions on objects you could then use the groups for that.

If moving the user Accounts to your OU is not possible create your GPO and link that to the OU where the users accounts sits.

Inside that OU create a Group making the required members part of the Group and then grant - Read and Apply Group Policy right to the Group on your policy. Only those users will then be managed by your Policy.

Remeber GPO can only be linked to OU's not Groups or user Accounts. Place all items inside the OU that you would like to manage.

Hope that Helps

Minus Human

Link to comment
Share on other sites
Phyridean

Phyridean

Posted
  • Author
Posted

The only problem with that is that I only have permission to create GPOs within my own OU (Which cannot have any of my users themselves in it)

Is there no other way?!?!?! :)

<Curses Microsoft's lack of forseeing MY needs :rolleyes: >

Link to comment
Share on other sites
Phyridean

Phyridean

Posted
  • Author
Posted

Ok, I did some more researching (something I've never liked doing...and still don't, being a college student :) ) and I found the following.

Loopback Processing

While applying the computer portion of GPOs works as expected at [my college], applying the user portion is more complicated due to the fact that the user objects are located in a single, central OU. To allow the user portion of the GPO to be applied when the user object is not directly within the scope of the GPO, loopback processing must be enabled. This setting in a GPO (located within Computer Configuration, Administrative Templates, System, Group Policy) allows the user portion of a GPO to be applied when only the computer being used is within the scope of the GPO.

Loopback processing contains two modes: replace and merge. Replace mode overwrites any existing policies on the users with the ones specified on the computer whereas merge mode combines the two sets of policy. Because of the extra processing to combine policies, merge mode leads to slower logins. Since ITS places no user-based policy on the central user objects, you can safely use replace mode.

I have tried enabling loopback processing, but have not so far had success. Ideas?

Link to comment
Share on other sites
Minus Human

Minus Human

Posted
Posted

I have to say that could come in very useful I’ll def look into that.

Do you have the computer Accounts inside your OU? If so check that AD DNS server is specified on the PC's. I would think that the most likely reason is that they are located in the user container in AD as apposed to an OU.

Would it not be possible to ask the SysAdmin to link your policy to the OU that contains your users?? I’m sure if you give him a fact for fact explanation he MIGHT come around. OR you could ask him what he suggests (Personally it makes sense to have the users you manage inside your OU just from an administration point of view.)

Minus Human

Link to comment
Share on other sites
Phyridean

Phyridean

Posted
  • Author
Posted

Yes, the computer accounts are inside the OU that I administer. They may ALSO be in the root domain's user OU, but I'm not sure...I;ll have to check into that. The DNS may well be the problem, so I'll look at that too. Thanks for all the help, and if I figure out how to make this thing work then I'll post the solution as well as many more thanks... :)

Link to comment
Share on other sites
  • 2 weeks later...
Phyridean

Phyridean

Posted
  • Author
Posted

Loopback processing was the key. It was necessary to make sure that all policies are set to either "merge" or "replace" but no combinations of the two within an OU. It's also necessary to have proper WINS addresses.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...