Let me give more info as
to why I'm asking this question. The idea has been floated of putting all of
our user accounts (>20,000) into one OU. Other OU's would exist, where
groups would reside. Access would be give to 40-50 different OU admins to the
primary User OU, and they would determine who they would put into their own
groups. From there, GPO's would be applied to the OU's by the OU admin, with
the GPO being applied to the group members (which everyone here says is
impossible).
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw, Jason
Sent: Monday, July 21, 2003 1:34
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question
To make this clear to
everyone.
Yes a user can be in more
than one group. The question you are asking is can a GPO be applied to a
groups? - NO
Read MS article
322176: http://support.microsoft.com/?kbid=322176
Hope that this helps,
Jason Crenshaw
Sandia National
Laboratories
____________________________________________________________________________________________________________________________
Short Answer:
NOTE: GPOs
are applied only to sites, domains, and organizational units. Group Policy
settings affect only the users and the computers that they contain.
Specifically, GPOs are not applied to security groups.
The location of a security group in Active Directory does not affect filtering
through that security group as it is described in this procedure.
If a user or a computer is not contained in a site, a domain, or an
organizational unit that is subject to a GPO either directly through a link, or
indirectly through inheritance, you cannot set any combination of permissions
on any security group to make those Group Policy settings affect that user or
computer.
Filtering at the GPO level, as it is described in this procedure, causes the
GPO to be processed or not processed as a whole. The Software Installation
extension and the Folder Redirection extension use security groups to refine
control beyond the GPO level. Except for Folder Redirection and Software
Installation, security groups are not used to filter individual settings or
subsets of a GPO. For control over individual settings, edit or create a GPO
instead.
-----Original Message-----
From: Chris Flesher
[mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 12:18
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question
a user
can be a member of more then one group. if a user is a member of two groups
that are in seperate OU's, then the user can have group policy applied to two
seperate groups based on ACL's within each OU? I don't need an object existing
in two seperate OU's. I just need two seperate groups with a user being in each
group, with each group in seperate OU's.
Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw, Jason
Sent: Monday, July 21, 2003 12:38
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question
What is group policy or a GPO?
Group policy is a new Windows term for common
configuration settings. An administrator can create a group policy which
applies to users or computers. This group policy can set certain computer
settings such as who can login to the computer or user settings such whether
the user can run control panel applets. Group policy is similar to what was
called policy in NT4, but there is a vastly improved performance together with
a greater number of common configuration settings. A GPO, or group policy
object, is a set of settings applied to a site, domain or OU container. The GPO
then is applied to every machine or user object under that container. One can
configure a GPO with ACLs to restrict the computers or users to which it is
applied.
This
also suggests that it is technically impossible to do since a user object can
only exist in one container or OU.
Hope
that this answers your question.
Jason
-----Original Message-----
From: Roger Seielstad
[mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 11:29
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Group
Policy question
I
believe there's nothing in TechNet on it because its technically impossible to
do. You can't have an object in more than one OU.
--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-----Original Message-----
From: Chris Flesher
[mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 12:49
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question
Guido,
that's not quite what I had in mind. Two OU's that are not hierarchical to each
other. It could be a flat OU architecture. Two seperate OU's that have gpo's
applied to a group. If a user is a member of both groups, which gpo will take
precedence? Maybe it's a dumb question but it was posed to me by a higher up
and I can't find anything about this scenario in technet.
Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477
-----Original Message-----
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Monday, July 21, 2003 10:43
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Group
Policy question
I guess
you're using the groups to filter for whom a GPO is applied - but you're
not applying a GPO to a group ;-) It doesn't matter which OU the group
resides in, it simply matters, which OU the respective GPO is applied to.
Assuming
you're talking about applying two GPOs to the same OU - each with a separate
Group used for filtering, then you can set the priority of the GPO processing
order directly on the OU on the Group Policy tab.
From: Chris
Flesher [mailto:[EMAIL PROTECTED]
Sent: Montag, 21. Juli 2003 17:18
To: [EMAIL PROTECTED]
Scenario: a user is a member of two
groups. Each group is in a seperate OU. A gpo is applied to each group. Which
gpo will take precedence for that user? In other words, which will be the last
to be applied and get the settings applied to that user?
Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477
