Assigning users to OUs??

[gilgamish]

when i build a new OU, how can i make certain pre-existing users and groups members of this new OU?
Pardon me if it was a silly question.

 

[cleverhandle]

Right-click --> Move, then browse to the OU.

edit: right-click on the object you wish to move, that is...

 

[gilgamish]

is there way to take a copy of the user object and place in the OU?
just like u do it for groups.
i dont want to move the object. rather, i would prefer to take a copy of it, if possible.

 

[cleverhandle]

The two situations (groups and OU's) aren't comparable. A user is not contained in a group - rather, they belong to a group. So you can "copy" a user to groups, but that "copying" isn't really putting them anywhere - it just modifies their attributes. So the user can belong to many groups. But a user is contained, strictly, by a single OU. A user belongs (immediately) to exactly one OU. So you can't exactly copy a user to an OU. You could do a Right-click-->Copy, and then move the resulting new user, but you'll need to fill in info for the new object.

 

[gilgamish]

Ok. that means i should think of another approach to apply my policy which i intend to assign for a number of users of the domain. an approach deffirent from OUs.
It's a policy for preventing them from using drive A and the CD drive.
the problems are:

1- not all the users in the domain should be prvented because some of them cant go on working without a floppy and CD drives

2- regarding floppy there is no problem. but in the case of CD drives, not all computers are assigning the same drive letter for their CD drives, because partitions deffer from one user to another.

3-i dont want to use OUs in this scenario "for decoration reasons", says my stupid boss a minute ago.

any suggestions??

 

[Wolf00]

Solving the problem of which users to apply the policy is quite simple. In the properties of the GPO, look at the security tab. You should see a listing of the users and groups that have permissions set for them on the GPO. One of those permissions is apply policy. By default, all GPO's are set to have the policy apply to Authenticated Users. Since all users and all computers are a member of authenticated users, the policy applies to everyone and everything in the domain/ou that the policy is linked to.

To solve your first problem, create a group, add the users that require the use of the floppy and cd-rom, add that group to the security tab of the GPO and check the deny box next to the apply group policy permission. Since denies override allows, all users and computers will apply the policy except this group.

As for your problem of the cd-roms having different drive letters, I'm not sure what to do for you there. The first thing that comes to my mind is to change all the cd-rom drives to the same drive letter (something like V or some other letter that is unlikely to be used for network drives). I'm sure you could find a way to script this, but the only way I know to do it without doing any more research would be to bring up Computer Management, connect to each computer, go under Storage, Disk Management, and change the drive letter. I sure hope there is a better way, but I'm too tired right now to think of it or go look for it.

As for not wanting to use OU's, that's completely up to you, but using them does make life a little easier in the long run. I currently use OU's for different business groups within the company. This way they can have their own user groups, their own group policies and I can even delegate authority for that OU to their local admin (if they have one).

Hope this helps. and good luck

 

[Nothinman]

is there way to take a copy of the user object and place in the OU?

Not with AD, it's basically a flat namespace just like NT4 domains. I think it's pretty dumb you can't have the same username exist in more than one OU, but that's how MS decided to do it.

 

[cleverhandle]

Originally posted by: Nothinman
I think it's pretty dumb you can't have the same username exist in more than one OU, but that's how MS decided to do it.

And what exactly do you see as an alternative? A user is an LDAP object, so it has to have a single location in the OU structure. That's not Microsoft's choice - that's the way a directory service works. Unless you want different objects with the same login name, which is pretty clearly a bad idea.

 

[cleverhandle]

Originally posted by: Wolf00
Solving the problem of which users to apply the policy is quite simple. In the properties of the GPO, look at the security tab. You should see a listing of the users and groups that have permissions set for them on the GPO. One of those permissions is apply policy. By default, all GPO's are set to have the policy apply to Authenticated Users. Since all users and all computers are a member of authenticated users, the policy applies to everyone and everything in the domain/ou that the policy is linked to.

To solve your first problem, create a group, add the users that require the use of the floppy and cd-rom, add that group to the security tab of the GPO and check the deny box next to the apply group policy permission. Since denies override allows, all users and computers will apply the policy except this group.

To expand on that a bit, you probably don't want to be editing your default domain policy here. If you're keeping the defaults, where "Users" is a top level OU, use the MMC Group Policy snap-in to create a GPO for Users with the settings you want (or right-click Users-->Group Policy-->New). Then modify permissions as Wolf00 described - though I think you'll need to choose the "Advanced" view to see those.

And if your organization is of any substantial size, tell your boss that not using OU's is a dumb idea. You lose out on delegation of authority, and group policy application becomes much harder to trace.

 

[Nothinman]

A user is an LDAP object, so it has to have a single location in the OU structure. That's not Microsoft's choice - that's the way a directory service works. Unless you want different objects with the same login name, which is pretty clearly a bad idea.

Yes but an OU is like a directory, you can have files/users with the same name in different directories. NDS handles this just fine and we use it on a limited basis for testing things.

 

[cleverhandle]

But with NDS, the Relative Distinguished Name isn't being used directly for authentication, correct? It's one thing to have separate entries for a user in a phone book, but another to have a login name map to more than one object. I'm not saying that the system is perfect, but if you're going to store accounts in LDAP, I think you're going to be stuck with a one-to-one map.

 

[Nothinman]

The login name doesn't map to more than one object because the objects fully qualified name includes the OU and the O (and I think with newer NDS version the tree is included too).

 

[gilgamish]

use the MMC Group Policy snap-in to create a GPO for Users with the settings you want (or right-click Users-->Group Policy-->New). Then modify permissions as Wolf00 described - though I think you'll need to choose the "Advanced" view to see those.

but i always hear that GPOs are applicable only on sites, domains, or OUs. am right?

 

[gilgamish]

this above is one thing.
the other brand new problem is that each time i attempt to open Domain Group Policy from the administrative tools, it gives me the following error:

" group policy error....................
failed to open group policy object, you may not have appropriate rights
the specified directory service attribute or value does not exist"

a concole pops out with the group policy snap-in disabled.
although im logging on as domain administrator, im told i dont have enough rights.
what's going on here???