Group policy not being applied unless user is in OU

windows-server-2008 active-directory group-policy
8,933

Solution 1

Group policy isn't applied on groups like that. It's applied to computer or user objects within the OU it's applied.

If you want a group policy to apply to just a specific group, you need to attach the group policy to your entire user OU, then use Group Policy Filtering to restrict it to just the group of users you require.

Solution 2

That's because Group Polices are applied based on where the user object exists not on any group the user is in. This is one of the more confusing aspects of Group Policy Objects. It says group in the name, obviously it should apply to groups right? No, at least not without extra work. In order to have the GPO apply to a user, it has to be set on an OU in the user's path to the root of the domain.

To set it so that group membership actually forces GPO application, there is a procedure for this:

http://technet.microsoft.com/en-us/library/cc786636%28WS.10%29.aspx

That works a bit differently in that you have to apply it to everyone, but you set it so only members of a specific group actually execute it. So, you'd set it on your User's OU, and only members of the configured group would get it.

Solution 3

What you need to do is enable GPO Loopback Processing on the computer(s) the users are logging into. Loopback Processing forces the gpo's to be applied on the users logging into these computers regardless of where the user objects are located in your AD. You can find more detail in this KB: http://support.microsoft.com/kb/231287 .

Share:
8,933
GBC
Author by

GBC

Updated on September 17, 2022

Comments

  • GBC
    GBC over 1 year

    I have set up my WS2k8 R2 AD like so:

    The OU "OU1" contains a security group called "GROUP1". I have applied some group policy to "OU1". The group policy is enforced.

    My users are located in the default "Users" OU. The users are members of the group "GROUP1".

    The problem is that the GP does not get applied to the users.

    If I create users in the "OU1" OU, the policies get applied as they should.

    Very grateful, James

  • GBC
    GBC over 13 years
    Wow, okay.. Really? It seems like that would be the easiest and most obvious way to apply different group policies to different users. It looks like the link you posted only applies to up to 2003 sadly..
  • GBC
    GBC over 13 years
    Thanks, I got it working the way I wanted now using security filtering.
  • MDMarra
    MDMarra over 13 years
    Loopback is for applying user policies to computers. This has nothing to do with the question.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Remove delete permission for active directory group in Microsoft 2008 Server R2
Limit folder size on Windows Server 2008
Group Policy Objects stopped applying to most security groups
Apply Registry or ADM to Group Policy for Login to Specific Servers
processing of Group Policy failed only on 2008 Servers and Name Resolution failure on the current domain controller
How to Apply Computer Configuration Group Policy to a Remote Desk server based on user security group
GPO Printer Deployment Ordering greyed out
Active Directory GPO for Password Policy Not Applying from Default Domain Policy
Should the DNS and DHCP server be on the same machine?
Domain User can RDP into Domain Controller?