Why doesn't Group Policy work if I put a local group in the affected OU instead of the actual user a

Discussion in 'Server Security' started by CS, Jan 27, 2009.

  1. CS

    CS Guest

    Windows 2003 Server. AD domain. Created an OU so that I can apply a Group
    Policy to a collection of users. As per Msoft instructions, I created a
    Local Group, and put that local group inside the OU. Created a Global
    Group, added users to the Global Group, and then added the Global Group to
    this local group. I then created a Group Policy - User Config, and set up
    the restrictions. I applied the GP to the OU, and did a GPUPDATE / FORCE.

    The result is that this GP doesn't affect the pc where the user above logs
    in. If I take the local group out of the OU, and just put the individual
    user account into the OU (instead of the local group), the GP works fine
    when that user logs into a PC.

    Any ideas why this won't work when I use groups to add users to the OU, and
    thus to the Global Policy world?

    CS, Jan 27, 2009
    1. Advertisements

  2. CS

    Claus Greck Guest

    Group Policies only apply to USER ACCOUNTS and COMPUTER ACCOUNTS ! They
    don't apply to Group Accounts!
    So your experinece was to be expected ;)

    You can only filter GPO scope through its DACL to a group (or any individual

    Claus Greck
    Claus Greck, Jan 27, 2009
    1. Advertisements

  3. Meinolf Weber [MVP-DS], Jan 27, 2009
  4. CS

    CS Guest

    Thanks Everyone. That makes sense.

    CS, Jan 30, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.