I have read different response on different blogs to the following with a yes and no answer. Can someone here confirm for me once and for all if this is possible.
We are looking to try and implement some Group Policies and are wondering if its possible to complete this via adding the computer objects to a security group and not moving them to a specific OU. Where we would be able to apply the GP to the security group only.
Example: implementation of a so called hot-desk environment where members of different departments/Areas can utilize and have the ability to print to a multi function device (using a gp) located within the area when connected to the network. Thus we do not want to move the computer objects from their correct departmental OU to an OU specific to this process.
Any advice would be great
4 Spice ups
semicolon
(semicolon)
2
Group Policies apply only to account objects (computers and users); you cannot apply a GPO/GPP to a security group directly.
You can link GPOs to an OU, Domain, or a Site, but linking to an OU that contains only groups will produce no results, as the groups never “log in”
You can link a GPO, and filter it to security groups (or other security principals) so that only members of the group can apply the settings, but the GPO must link to a parent OU/Domain/Site of the actual member accounts, not the group. You can also delegate permissions on the GPO.
4 Spice ups
Yes, this is achievable. I’ve set up TCP/IP printers for our organisation, and used Item-level Targeting to address how they’re deployed.
The first thing I would do is create a security group, add a test machine to it, and then when all the details are filled in for the GPP, check the box for Item-level targeting under the Common tab, click on the Targeting button, click on New Item, choose Security Group, and then Browse for the name of the group you set up. Click OK to accept the group, assign the GPO to an OU, do GPUPDATE, and then that should work for you.
1 Spice up
Here’s the easy way to do it:
Create GPO, in the GPO under Security Filtering, assign it to the group you want, and then link it to the OU you wish to have it applied to.
Essentially you apply it to an OU and use security groups to filter who gets the GPO.
2 Spice ups
semicolon
(semicolon)
5
Pass_the_Tylenol got the second half of my answer…the how to do it part.
You can use Item Level Targeting to create complex conditions for when a preference is set, such that a printer is mapped only when a user is a member of GroupA but only when they are sitting at a computer that is a member of GroupB. (so that the users only get it when sitting at particular workstations).
You can even get hog wild and make it so that the printer can only be mapped if a particular file is present on the computer, or if there’s at least 5 GB of free space on the hard drive, of the the computer is running a particular version of Windows, and on and on.
3 Spice ups
The only way groups and GPO’s work together is you can filter so only Users part of a certain security group get the GPO applied. However that means the GPO also needs to be linked to the OU the user accounts reside in or under.
2 Spice ups
Thanks guys @semicolon that’s what some were saying that it isn’t correct practice and GP’s should only be applied to ‘account objects’.
Thanks to @pass_the_tylenol and holo. I think I am just going to try it and see what happens. It would be fantastic if it worked. I will report back on my findings anyway.
Thanks @James Microsoft I will check that out right now
If anyone else has an input more than welcome.
1 Spice up
Tylenol’s suggestion works. You just have to make sure to do a gpupdate on the computers you add to the security group, then reboot them. If you don’t reboot, it won’t work.
