Group Policy is not taking effect on OU

By jeff.friend ·

I am trying to apply a group policy to an OU in Active Directory 2008. For some reason it does not work when linked to just the OU. Here is my setup:

OU contains the computer that the policy needs to apply to and nothing else. The Group Policy is linked to the OU. The overall goal is to have a group policy take effect for users when they log onto a specific computer but not on any of the other computers they may log into.

Is there any method you guys would suggest to begin troubleshooting or if you know what may be the issue please let me know. I have tried several different alternatives to achieving the same result and have had no success.



This conversation is currently closed to new comments.

23 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next
Thread display: Collapse - | Expand +

All Answers

Collapse -

Not sure which

by NetMan1958 In reply to just a note Netman... he ...

part of my post that was in reference to, maybe I didn't explain what I was asking very well. If you PM your email address to me, I'll send you a screen shot from one of my AD domains that shows the info I'm trying to obtain.

Collapse -

guess my point is this- In Active Directory environment

by CG IT In reply to Not sure which

a GPO is created for users and/or computer environments. typically, in an Active Directory environment, GPOs are at the site, domain or OU level and apply to Active Directory users or computers. In 99.9% of GPO deployments, that GPO will either be linked to the domain, who's effects are domain wide, or an OU who's effects are for those users or computers in that OU. The GPOs are create 99.9% of the time on the DC. gpresult run on the container [OU] will show what GPOs will happen to users or computers in the container [OU]. you can run it on workstation as well, but that also depends on how users log on.

Authenticated users doesn't mean much in the realm of group policy. computers that have a computer account in active directory "authenticate" via their security account but computers are not users in the context of group policy. Domain users who log on and there is a group policy linked to an OU that their user accounts reside in will get that GPO, but a guest user who logs in or an anonymous user that logs in will not unless the account is in the OU. but their all "Authenticated Users".

A domain user might also have a local machine user account, however if they log on locally, they will not get a domain or OU GPO when they do, but their "authenticated users", [to the local machine].

So that's where I wonder what "authenticated users" have to do with Group Policy in an Active Directory environment.

Collapse -

RE: Authenticated Users

by NetMan1958 In reply to guess my point is this- I ...

With every AD I have worked with you can control rather or not a GPO gets apllied to all or just some users/computers via the "Security" tab in the GPO properties configuration. I open the Group Policy Management, right-click on the target GPO and click on edit. Then, in the Group Policy Object Editor, I right-click on the GPO name and click on "Properties". Then I click on the "Security" tab. At this point I can choose the users, user groups (from my experience, "Authenticated Users" is the default group), computers or computer groups that are allowed to apply the GPO. I can even prevent a user(s) or group(s) from applying the GPO.

To give you an example, in one of my ADs, I have an OU named "Building 1". I have a GPO linked to that OU named "Restrict Internet". I only want that GPO to apply to our collectors (it's a collection agency) but not to every user/computer in the "Building 1" OU. I have a security group named "Collectors" and all of the collectors are members of that security group. I only include the "Collectors" group in the "Security" tab for that GPO and give them "Read" and "Apply Group Policy" permissions. The collections manager also needs to be a member of the "Collectors" group but also needs internet access in order to do his job. So in the "Security" tab for the GPO, I add his user account and deny all access to the GPO. Since "no access" always trumps any other access permitted by membership in other groups, the GPO isn't applied to him.

The result of all that is that the collectors in Building 1 don't get internet access but the collections manager and all other users in Building 1 do.

Collapse -

not arguing NTFS security or methods to filter

by CG IT In reply to guess my point is this- I ...

rather some of the poster's use of authenticated users as analgous to "users".

Not all "users" are authenticated. An example is null sessions between a DC and workstation before a user logins.

What the original poster provided, as a response to my query was that they couldn't create an OU in the computer or users OU and received an access denied, yet was able to create an 1st tier OU and place both a user and a computer in this OU, link a GPO and apply it, with a gpresult on the computer account and user account in the 1 OU of no policy applied.

Doesn't sound like a block policy inheritence/filtering problem to me.

Collapse -

The policy wasn't even listed in gpresult

by NetMan1958 In reply to guess my point is this- I ...

Here is what I'm getting at. In this post:;leftCol
the OP states "The user and computer are within the organizational unit and the group policy(VA_VPN_GPO) is linked to the organizational unit but it doesn't even list the policy in applied or filtered GPOs in the GPResults".
From that I gather that the name of the GPO is "VA_VPN_GPO". If you examine the output from his gpresult in this post:;leftCol
it only references 3 GPOs (Local Group Policy, AllUsers and Default Domain Policy). VA_VPN_GPO isn't even in the list of applied or filtered GPOs. Also, he either failed to post the "Computer Settings" part of the output or there was no output for the "Computer Settings" and that was what I was asking about.

Collapse -

the only GP applied after login is the local machine

by CG IT In reply to guess my point is this- I ...

even the default domain GP wasn't applied or even filtered and shows "empty" which should have at the least default settings of the default domain gp from the DC applied if the user logs on to the domain. So I'm wondering if the gpresults we are seeing is just local machine or results after domain log in. Further, no mention of forcing an update after applying the GPO [default time for gp refresh is 90 minues].

while the poster said he created the OU on the DC, the fact that he couldn't create it under the default "users" or "computers" OU with an access denied says to me that the account doesn't have sufficent rights. Without those rights, no matter what he does domain wise, won't be applied.

Collapse -

You may be on to something

by NetMan1958 In reply to guess my point is this- I ...

regarding rather he forced and update after adding that new GPO, I wish this guy would come back and start answering some questions.

I would think he has the sufficient rights or he wouldn't be able to add a new GPO at all. He mentioned that the "Computers" and "Users" objects he tried to create the OU under were the ones right under the domain level. Those "Computers" and "Users" objects are not OUs at all, they are containers and I can't create an OU under those on any of my ADs and I know I have sufficient rights.

Anyway, I think we're wasting our time on this because it doesn't seem like this guy is coming back.

Collapse -

your right...another case of the missing poster

by CG IT In reply to guess my point is this- I ...
Collapse -


by jeff.friend In reply to Just to verify

1. Yes the GPO is VA_VPN_GPO
2. The GPO is linked to an OU that is inside another OU
3. Currently have the authenticated users permitted to apply the GPO
4. They should be set under User Config.
5. the computer currently can apply to the GPO and authenticated users

Collapse -


by jeff.friend In reply to verified

So after some testing I was able to get the policy to apply when the user is also inside the OU(in addition to the computer) the only issue with this is that now every computer the user logs onto the policy takes effect. The desired result is to have the policy only take effect on the one computer.

Sorry for the delayed response.


Back to Desktop Forum
23 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next

Related Discussions

Related Forums