gpo security filter

Question

Hi,

I have a question regarding gpo that is being applied to an OU.

I have an OU that users are in it, this OU has a sub OU that users PCs are in it.

We have a Policy that linked to the Root OU and to the sub OU. This policy has both user and computer configuration. and Policy is applied to a security group called goup1, and users and computers in toor OU and sub OU are both member group1.Policy appied and works.

Now I have created a second policy that has some different settings then the first policy. This new policy it also have user and computer configuration and applied to a new security group, group2

My question,

Can I link the new policy to the same root and sub OU, and use group2 to filter the new policy and move the users and computers that need this new policy from the first security group? I dont want to create a new OU for this policy.

The users that become member of the group2 dont need the any of the first policy settings.

Answer 1

Hello @Shahin Mortazave ,
Thank you for posting here.
Here are the answers for your references.

According to the description, we want to filter the new policy to group2 and the users that become member of the group2 don’t need the any of the first policy settings.

I did the following experiments in the lab so that I can provide more intuitive suggestions.

1. I created two new groups in the domain, named 0 and 2. There is an OU named Text in the domain, and there is a subOU, and there is a computer in the sub-OU. I added the computers to the two groups. Similarly, the user named text1 in Text is added to two groups, as shown below.
   
   
2. I configured two different GPOs for Text, Policy1 and Policy2, and linked the two GPOs to the sub-OU, added group 0 to the Security Filtering of Policy1, and also added group2 to the Security Filtering of Policy2.
   
   
   
3. In the exported gpresult, we can clearly see that GPO takes effect and does not affect each other.
   
4. If you only want Policy2 to take effect, you can choose to disable Policy1, as shown below, only Policy2 is left to take effect.
   
   

Hope the information above is helpful. And look forward to your update of this issue. If anything is unclear, please feel free to let us know.

Best Regards,
Stephanie Yu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Stephanie,

Thanks for your detailed reply,

What we want to do is to eventually move all of the users and computers from policy1 to the policy 2. But we cannot do this at once.

Policy1 and policy2 both have the same setting, except policy1 has folder redirection to a network share and policy 2 has folder redirection to onedrive. becuase the folder redirection to network share and folder redirection to onedrive cannot be in the same policy we did create copy of the Policy1 and called it Policy2 and removed the folder redirection to network and added the folder redirection to onedrive.

Now we will link the Policy2 to the same OU and subOU as Policy1 and filter them accordingly and move users in groups of 10 from security group of policy1 and add them to the security group of Policy2.

This would allow users in Policy1 be unaffected and users in Policy2 should get the settings of the Policy2.

Thanks

Answer 3

Hi Stephanie,

Thanks for your reply,

in the test environment I did not came across any issue, users and computers in the same OU and sub OU did recieved the settings only from a Policy that they were member of policy's security group.
Users and computers that recieved the settings of the Policy2 thier folder redirection is to the OneDrive.

The only issue that I came accross is when user is removed from first gpo and added to the second gpo and after this user login to his/her PC the login process take a long time, but after that the next login goes as it should.