GPO problem

By awellman ·
I have 2 OUs containing computers. One contains just a special lab computers and the other all the rest of the computers on campus. I have 2 user OUs and groups. One contains all students and one teachers. I need to have a GPO that applies to all students but only when they log on to a computer that is NOT in the special lab. If they log into a special lab computer, I do not want any GPO applied. I have not been able to get this to work. I have tried putting a GPO linked to the non special lab OU and security filtered it to the student group. This does not apply to either computer or user settings. Tried with loopback and still nothing. I tried to link the GPO to the student OU, and security filtered on non-special lab group and that seems not to work either. If I remove the authenticated user, it doesn't apply to any, if I leave authenicated users or student group, it seems to apply regardless of which computer they log on to, even with the computer group filter.
Any help in how to accomplish this will be greatly appreciated.
Thanks, Art W.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

what is the resultant set of policies?

by CG IT In reply to GPO problem

on the computer or user when you link and then enable, the policy to the OUs?

Collapse -

Resultant set of policies

by awellman In reply to what is the resultant set ...

When I link the GPO to the User OU, set the security filter to a group that contains the computers I want it to apply and remove the authenticated user filter, the policy does not show in the user settings. If I include the authenticated user filter or add the user group, the policy is applied to both computer OUs if I log on as a user in that OU. It doesn't filter to the computer group only.
Thanks for any help.
Art W

Collapse -

where's the 2 OUs in the hierarchy eg relation to each other?

by CG IT In reply to Resultant set of policies

sounds like where you have the GPO linked might be the problem. If you linked the GPO to a higher level OU than the one you want the GPO to apply to, then the GPO would apply to all subordinant OUs. In this case both OUs which is not the result you want.

Collapse -

OU Hierachy

by awellman In reply to where's the 2 OUs in the ...

The two computer OUs are at the same top level under the domain. As you can tell I am a novice at this and can't seem to get it to work. I have two groups (OU) of computers. 1 is a special lab in which they do not want any GPOs to apply, and the other is all the rest of the computers on campus which would like to have GPO restrictions. We have users in 3 groups, students, faculty and staff. We would like to have different GPOs apply to the different user groups but when connected to the special lab computers, no GPOs applied at all.
Thanks for your quick response and help.
Art W

Collapse -

Additional Info

by awellman In reply to where's the 2 OUs in the ...

Just to add something.
I have tried linking the GPO to the computer OU and added a security filter for the user group, with and without loopback, and none of the setting apply. I have tried linking to the user OU and added a security filter for the computer group, with and without loopback, and that doesn;t work. If I also add the authenticated user to the security filter in this case, all setting apply, but they also apply in the special lab OU. Apparently it doesn't filter for computers at the User OU link.
Thanks again
Art W

Collapse -

Hierarchy of OUs

by CG IT In reply to GPO problem

Brief outline: there are default OUs which are at the top of the OU structure. One is computers and one is users. Typically when you join a computer to the domain, they get stuck in the computers OU. Creating user accounts is the same thing. Their in the user OU.

Now, you can create OUs under the default Computers OU [nested]. Same with Users. or you can create OUs on the same level. depending upon how you create the new OU where you link the GPO, and what order you make the GPO determines what GPO gets applied and to what. [you can always use the no override but...].

If you have 1 group of computers you don't want any group policy applied to, and don't want them to inadvertently get a GP like is someone else creates a GPO and applies it to the top level computers OU, I would create their own OU at the top level[same level as the default computer OU. Move those computers you don't want any GPO to apply out of the default computer OU and into that OU.

That should pretty much solve the problem with the "lab" computers not getting any Group Policy. The only group policy they would get is the domain level.

Or you could use the no override on a child OU under the top level computers OU to ensure your GP gets applied or use the block to ensure they don't get any GP. Depends on what you want to do and how uncomplex you want it to be. kiss is the best policy when dealing with OUs, group polciies blah blah.

For computers you want to get GP, if you don't need to divide them up further, you can 1. leave em in the default Computers OU and link the GPO you created to that OU. or 2, create a new OU under the top level computer OU, move them into that, and apply the GPO.

side note: you can create multiple GPOs and apply then in a specific order but doesn't sound like that's what your doing.

You do user GPOs in a similar fashion.

Whole thing depends on how you divide everything up and what policies you want to apply to those computers or users you divide up.

Collapse -


by awellman In reply to Hierarchy of OUs

Thanks so much for the explaination.
I finally got everything working. I did create 2 OUs at the same level as the Computers OU and move the computers into those OUs. I found that if I linked the GPO to the appropriate computer OU, and then put in the security filter for the particular user group and also the group that contained all the appropriate computers, and with loopback enabled, it all works fine. The GPO is applied only to the appropriate computer OU and the user setting for only the appropriate user group.

Once again, I really want to thank you for your time in effort to help me through this.


Related Discussions

Related Forums