2003 Group Policies applying to individuals, not groups

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a stand alone test server running Win 2003. In addition to the
default domain policy, I have two other policies, STUDENTS and TEACHERS. I
also have two security groups, SchlStdn and SchlTeac

When I simply add user names to the security tab of the STUDENTS and
TEACHERS group polices, the proper policies are allowed.

When I add the students and teachers to the above listed groups, no policies
are applied. I removed the authenticated users from the security tab of the
two new policies and added the SchlStdn to the Students policy and SchlTeac
to the Teachers policy. Permissions in both cases are Read: Allow and Apply
Group Policy: Allow

I left the DEFAULT DOMAIN POLICY untouched.

Why are the policies applying for individuals and not groups?
 
Because that's behavior by design. Group policy applies to individual
objects in OU's... not the security groups. I'm not positive of the answer,
but can only extrapolate that it's because a user may be part of more than
one security group, thereby causing a conflict down the road of what policy
is *supposed to apply to them.

What I recommend is that you change up your OU structure a little. Here's
what I'd do:
Make a new OU (I do it right off the domain 'root', but don't know if that's
a good practice to follow). Call it Students
Make a new OU ---blah blah blah, call it Teachers
Populate the OU's with the appropriate user accounts.
Apply group policies to each OU as necessary.
You can leave the permissions intact on the policies themselves, as you
don't need to deny the policy to those who are not in the OU (not in the
SOM - Scope of Management).

You may need to put the computers into separate OU's, depending on what you
want to do with them. Some schools have different 'desires' for the
different sets of computers, and that design is up to you. Just remember,
the security groups only come into play when you're changing the permissions
on the policy object itself. Policies won't apply to security groups no
matter how much you click and scream. ;-)

HTH

Ken
 
Back
Top