Questions

How do you apply a Group Policy to an individual user?

+
0 Votes
Locked

How do you apply a Group Policy to an individual user?

contact
I have a group policy that I want to apply to everyone is an Organizational Unit and one other user in a different Organizational Unit. How would I apply the Group Policy to both the OU and the other user? I'm using Windows Server 2003 Active Directory.
  • +
    0 Votes
    contact

    Ok, not sure if this is the best way to do it, but it worked. I created a sub-organizational unit under the OU where my individual user existed. Moved her down there and then added the GPO the new sub-OU. I could then also add the other OU that needed the GPO. If anyone has a better way to do this, let me know.

    ~Pat

    +
    0 Votes
    CG IT

    OUs are logical structures and without knowing how the OU structure is, providing a suggestion is a guesstimate.

    OUs are containers and well like tupperware, you can nest them. you can apply OUs to the outer, inner, middle or any combination. The resultant set of policies are much harder to figure out without running RSOP tool.

    The other thing is that OUs being containers, making one up for just one user adds a level of complexity that might not be necessary. But as with anything,you have to keep track of what is what and the more complex system you have the more problem it is to keep track of what is what. Microsoft best practice on OUs is more than 4 levels and your asking for problems. Less is more.

    +
    0 Votes
    contact

    My organization is quite small, maybe 200 users. I only have four non-standard OUs and only one level deep. The area I'm talking about here is I want to apply a GPO to a OU called Senior Staff and to one person in the Administration OU. I created a OU under Administration called Privileged Admins moved the person to that group and applied the OU to that group and the Senior Staff group. No sooner had I done that when I was asked to add one more person from the Administration group to the Privileged Admins. Seems like a reasonable approach, but I'm curious if there is a better way.

    ~Pat

    +
    0 Votes
    CG IT

    Group Policies propogate from parent to child. So your OU called Senior Staff is a child of your Administration OU. Group Policy applied at the Administration OU level gets applied to the Senior Staff OU level and then the Group Policy at the Senior Staff OU gets applied. The resultant set of both policies is what matters. If the resultant set of both policies is not what you want, you might have to tweek or put no override in.

    So this is probably why no one jumped in to provide suggestions. Group Policy can get complicated and result in policies you might not want certain users to get, get them or what you thought they would get they don't.

    That and most are across the ocean in time zones 6 to 8 hours ahead.

    +
    0 Votes
    bulk

    Keep the OU hiearchy simple, as always. Create and link the GPO to both the Senior Staff and Administration OU's.

    Create a global group named Privileged Admins. Add all the Senior Staff and the one (now two) admin staff to that group.

    Remove "Everyone" read, and apply GPO permissions from the GPO, and add the new global group instead, so that only this group has read, and apply GPO permissions to the GPO. Conventionally you'd actually give a local group those perms and add the global to the local - you know...

    Hope that helps,

    Richard
    Switzerland

    +
    0 Votes
    NexS

    I'd have you in gaol.

  • +
    0 Votes
    contact

    Ok, not sure if this is the best way to do it, but it worked. I created a sub-organizational unit under the OU where my individual user existed. Moved her down there and then added the GPO the new sub-OU. I could then also add the other OU that needed the GPO. If anyone has a better way to do this, let me know.

    ~Pat

    +
    0 Votes
    CG IT

    OUs are logical structures and without knowing how the OU structure is, providing a suggestion is a guesstimate.

    OUs are containers and well like tupperware, you can nest them. you can apply OUs to the outer, inner, middle or any combination. The resultant set of policies are much harder to figure out without running RSOP tool.

    The other thing is that OUs being containers, making one up for just one user adds a level of complexity that might not be necessary. But as with anything,you have to keep track of what is what and the more complex system you have the more problem it is to keep track of what is what. Microsoft best practice on OUs is more than 4 levels and your asking for problems. Less is more.

    +
    0 Votes
    contact

    My organization is quite small, maybe 200 users. I only have four non-standard OUs and only one level deep. The area I'm talking about here is I want to apply a GPO to a OU called Senior Staff and to one person in the Administration OU. I created a OU under Administration called Privileged Admins moved the person to that group and applied the OU to that group and the Senior Staff group. No sooner had I done that when I was asked to add one more person from the Administration group to the Privileged Admins. Seems like a reasonable approach, but I'm curious if there is a better way.

    ~Pat

    +
    0 Votes
    CG IT

    Group Policies propogate from parent to child. So your OU called Senior Staff is a child of your Administration OU. Group Policy applied at the Administration OU level gets applied to the Senior Staff OU level and then the Group Policy at the Senior Staff OU gets applied. The resultant set of both policies is what matters. If the resultant set of both policies is not what you want, you might have to tweek or put no override in.

    So this is probably why no one jumped in to provide suggestions. Group Policy can get complicated and result in policies you might not want certain users to get, get them or what you thought they would get they don't.

    That and most are across the ocean in time zones 6 to 8 hours ahead.

    +
    0 Votes
    bulk

    Keep the OU hiearchy simple, as always. Create and link the GPO to both the Senior Staff and Administration OU's.

    Create a global group named Privileged Admins. Add all the Senior Staff and the one (now two) admin staff to that group.

    Remove "Everyone" read, and apply GPO permissions from the GPO, and add the new global group instead, so that only this group has read, and apply GPO permissions to the GPO. Conventionally you'd actually give a local group those perms and add the global to the local - you know...

    Hope that helps,

    Richard
    Switzerland

    +
    0 Votes
    NexS

    I'd have you in gaol.