1,958 questions
Group policy in an Azure AD DS managed domain - GPOs not applied
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 85%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFM%3C/text%3E%3C/svg%3E)
Frank McLean
21
Reputation points
I have an an Azure AD DS managed domain and a VM configured with the domain management tools. I am using an ARM template to create VMs and then domain join them into a custom OU called Projects{project name}, i.e. there is a child OU of Projects that identifies the particular project. This part is working fine - the VM is created, joined to the domain and then appears in OU Projects\Project1.
I have a GPO linked to the Projects\Project1 OU that simply maps the project's Azure Files share - I think the contents of the GPO are irrelevant, however, as the GPO is NEVER applied. Running gpresult /r /v shows only Default Domain Policy and Local Group Policy applied.
I know by default that VMs are placed in the AADDC Computers OU and that AD DS uses a 'flat OU hierarchy' (how a 'flat hierarchy' is not considered an oxymoron is beyond me). If I put a VM in this AADDC Computers flat hierarchy and link a GPO, the GPO IS applied. But surely, by all that's holy, I don't have to dump everything into one steaming bucket marked 'computers' to get GPOs applied, do I? If I could put OUs within the AADDC Computers OU, I could live with it (I can't), but if I have to just throw structure to the wind, my GPOs are going to get bizarrely complex for the brainless stuff I'm needing to do.
What am I doing wrong here? I thought this would be the easy part. I'm used to GPOs but I'm baffled. AD DS is supposed to reduce my management burden, as I understand it, which crippling things like GP certainly does not, so I must be missing something. Tell me I'm missing something. :-)
Thanks.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee2021-08-23T21:57:32.65+00:00 You need to be a member of the Azure AD DC administrators group and the GPOs would only apple to the custom OUs. There is a related conversation you may have seen here: https://community.spiceworks.com/topic/2240228-azure-ad-domain-services-allows-only-one-default-domain-policy
Sign in to comment