GPO for individual users?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a domain with NO organizational units defined in AD. Just users,
security groups, and distribution groups. I have 2 existing user accounts I
want to apply a GPO to. I tried setting this up, and its not working. Can I
even do this? I created a new OU in AD, just for this GPO I want to use.
But I can't add individual users to this OU.

I even tried creating a security group in AD with those existing users.
Then I tried to add the Security Group to the GPO OU I created. Not working.
Am I missing something, or maybe just don't know enough about creating OU or
GPO's?
 
The user accounts need to reside within that OU (or sub ou) in order for the
GPO to apply. In other words you need to move those two useraccounts into
the OU that the GPO is linked to . Then, modify the security of the GPO and
add the useraccounts (or a securitygroup those users are members of) giving
them Read & Apply Group Policy rights to the GPO object.


Arild
 
If I move those users into the new OU, will it cause problems when users
login with the account, into the default first site domain?

Also, can I do this while both accounts are still logged into the network?
Though I'm sure the new GPO settings will not take effect untill they log
out, and then back in.
 
If I move these user accounts into the new OU, will it 'break' them. I mean,
will it cause problems the next time they log in, because there user account
now lies within a new OU, and not the default first site domain, root? They
are not in any security/distribution groups now; just on their own.

And, can I move these accounts while each is logged into the domain? Of
course, I'm sure the changes will not take effect until the user logs out,
and back in. Thanks!
 
Since you're not using OU's I assume these users are in the default Users
container? The only difference when moving them will be that they get the
GPO.

You can move them while they are logged on - and yeah, the effects will not
be there until they log back on.


Arild
 
Just one thing - make sure the users have "Read properties" rights on the OU
(the entire OU subtree if nested OUs) where they belong so that they get all
GPOs in the chain.


Arild
 
Thanks for all your help Arlid. Big help!

Another Q here-If I do a 'Find' in Active Directory users and computers, for
the two user accounts, will they not show up because they are in their own
OU? If I specify the root domain, they will come up right?

Thanks again
 
Courtney said:
Thanks for all your help Arlid. Big help!

Another Q here-If I do a 'Find' in Active Directory users and computers, for
the two user accounts, will they not show up because they are in their own
OU?
Click to expand...

If you search the entire directory then you will be searching the
*entire* directory and thus you will find the 2 users so it depends on
how broad of a search you do.

If I specify the root domain, they will come up right?
yes because they are in the domain
 
I've already performed this and it is as simple as it appears, just move the
accounts without problems and ask the users to log out and back in to see the
results.

If you have any problems verify if the Security Group was included in the
GPO security tab, and the "apply group policy" option was set.

Regards,
 
Back
Top