Phyridean Posted July 9, 2004 Share Posted July 9, 2004 My first post Ok, the pertinent info. I'm administering an OU at my College for the Registrar's department. We have a child domain, which we no longer use, in favor of using an OU in the parent domain. All users that will be logging on are located in the parent domain.Question: Is it possible to have a GPO in my OU which can apply to those users (the ones in the parent domain) without being able to directly administer the users themselves? Link to comment Share on other sites More sharing options...
Curv Boll Posted July 12, 2004 Share Posted July 12, 2004 without being able to directly administer the users themselves?not sure what you mean,Could you rephrase that please, im having trouble with it. sorryC.B Link to comment Share on other sites More sharing options...
Minus Human Posted July 12, 2004 Share Posted July 12, 2004 Hello,Ok from what i understand you have the OU representing the Child domain now as opposed to having a child domain of the root domain. is this correct ??All users that will be logging on are located in the parent domain.Question: Is it possible to have a GPO in my OU which can apply to those users (the ones in the parent domain) without being able to directly administer the users themselves?No, you have to have the users in your OU for the Group Policy to Take effect.Minus Human Link to comment Share on other sites More sharing options...
Spyder2k Posted July 12, 2004 Share Posted July 12, 2004 Maybe you can try adding the users to a new group and placing that group inside of your OU. Link to comment Share on other sites More sharing options...
Phyridean Posted July 12, 2004 Author Share Posted July 12, 2004 @Curv Ball: I can't change any of the user object settings, only add them to groups.@Minus: Yes, the OU replaced the child domain@Spyder: I will try groups, but so far I have not had luck with this. Link to comment Share on other sites More sharing options...
Minus Human Posted July 13, 2004 Share Posted July 13, 2004 Phyridean, creating groups and placing them within the OU where the GPO is linked will not work. The user accounts need to be located inside the OU. If you need to grant permissions on objects you could then use the groups for that.If moving the user Accounts to your OU is not possible create your GPO and link that to the OU where the users accounts sits.Inside that OU create a Group making the required members part of the Group and then grant - Read and Apply Group Policy right to the Group on your policy. Only those users will then be managed by your Policy.Remeber GPO can only be linked to OU's not Groups or user Accounts. Place all items inside the OU that you would like to manage.Hope that HelpsMinus Human Link to comment Share on other sites More sharing options...
Phyridean Posted July 13, 2004 Author Share Posted July 13, 2004 The only problem with that is that I only have permission to create GPOs within my own OU (Which cannot have any of my users themselves in it) Is there no other way?!?!?! <Curses Microsoft's lack of forseeing MY needs > Link to comment Share on other sites More sharing options...
Phyridean Posted July 13, 2004 Author Share Posted July 13, 2004 Ok, I did some more researching (something I've never liked doing...and still don't, being a college student ) and I found the following. Loopback ProcessingWhile applying the computer portion of GPOs works as expected at [my college], applying the user portion is more complicated due to the fact that the user objects are located in a single, central OU. To allow the user portion of the GPO to be applied when the user object is not directly within the scope of the GPO, loopback processing must be enabled. This setting in a GPO (located within Computer Configuration, Administrative Templates, System, Group Policy) allows the user portion of a GPO to be applied when only the computer being used is within the scope of the GPO. Loopback processing contains two modes: replace and merge. Replace mode overwrites any existing policies on the users with the ones specified on the computer whereas merge mode combines the two sets of policy. Because of the extra processing to combine policies, merge mode leads to slower logins. Since ITS places no user-based policy on the central user objects, you can safely use replace mode.I have tried enabling loopback processing, but have not so far had success. Ideas? Link to comment Share on other sites More sharing options...
Minus Human Posted July 15, 2004 Share Posted July 15, 2004 I have to say that could come in very useful I’ll def look into that.Do you have the computer Accounts inside your OU? If so check that AD DNS server is specified on the PC's. I would think that the most likely reason is that they are located in the user container in AD as apposed to an OU.Would it not be possible to ask the SysAdmin to link your policy to the OU that contains your users?? I’m sure if you give him a fact for fact explanation he MIGHT come around. OR you could ask him what he suggests (Personally it makes sense to have the users you manage inside your OU just from an administration point of view.)Minus Human Link to comment Share on other sites More sharing options...
Phyridean Posted July 15, 2004 Author Share Posted July 15, 2004 Yes, the computer accounts are inside the OU that I administer. They may ALSO be in the root domain's user OU, but I'm not sure...I;ll have to check into that. The DNS may well be the problem, so I'll look at that too. Thanks for all the help, and if I figure out how to make this thing work then I'll post the solution as well as many more thanks... Link to comment Share on other sites More sharing options...
Phyridean Posted July 27, 2004 Author Share Posted July 27, 2004 Loopback processing was the key. It was necessary to make sure that all policies are set to either "merge" or "replace" but no combinations of the two within an OU. It's also necessary to have proper WINS addresses. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now