Group policy in an Azure AD DS managed domain - GPOs not applied

Frank McLean 21 Reputation points

I have an an Azure AD DS managed domain and a VM configured with the domain management tools. I am using an ARM template to create VMs and then domain join them into a custom OU called Projects{project name}, i.e. there is a child OU of Projects that identifies the particular project. This part is working fine - the VM is created, joined to the domain and then appears in OU Projects\Project1.

I have a GPO linked to the Projects\Project1 OU that simply maps the project's Azure Files share - I think the contents of the GPO are irrelevant, however, as the GPO is NEVER applied. Running gpresult /r /v shows only Default Domain Policy and Local Group Policy applied.

I know by default that VMs are placed in the AADDC Computers OU and that AD DS uses a 'flat OU hierarchy' (how a 'flat hierarchy' is not considered an oxymoron is beyond me). If I put a VM in this AADDC Computers flat hierarchy and link a GPO, the GPO IS applied. But surely, by all that's holy, I don't have to dump everything into one steaming bucket marked 'computers' to get GPOs applied, do I? If I could put OUs within the AADDC Computers OU, I could live with it (I can't), but if I have to just throw structure to the wind, my GPOs are going to get bizarrely complex for the brainless stuff I'm needing to do.

What am I doing wrong here? I thought this would be the easy part. I'm used to GPOs but I'm baffled. AD DS is supposed to reduce my management burden, as I understand it, which crippling things like GP certainly does not, so I must be missing something. Tell me I'm missing something. :-)


Microsoft Entra
{count} votes