Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0487: User based Group Policies do not get applied to OUs containing only Computers

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:06 AM

Applies to: All versions of Centrify DirectControl for all OSes

Problem:

A Group Policy Object is created in a child OU where:
  • Computer accounts for joined machines are placed in this child OU
  • AD users are not in this child OU, and instead are in another OU (which is typically the case)
Any group policies configured in the User Configuration section of the GPO do not get applied.


Cause:

This is the expected Active Directory behaviour for all Group Policies (not limited to Centrify Group Policies):
  • User Configuration GPs of any GPO will apply to AD User objects within the GPO's linked OUs only.
  • Computer Configuration GPs will apply to AD Computer objects within the GPO's linked OUs only.

If the AD user is also moved to this child OU, then Group Policies in the User Configuration section with then get applied.
However in production environments, placing AD users in the same OU as the AD computers is most likely not the desired layout for AD organisation.


Solution:

There are two workable solutions:

Option 1:
  • Have the GPO created and configured at a parent OU level to both the AD users and AD computers.
  • The child OUs can then be configured so that it inherits Group Policies from the parent level.

Option 2:
  • Use Loopback Processing:
    • Loopback Processing is a Group Policy that can be configured in the OU level where the computer accounts exists, but the AD users do not.
    • When configured, it will apply Group Policies in User Configuration to any AD user that logs into the machines under this OU.

To configure Loopback Processing:
  • Enable the GP at:
    • Computer Configuration / Administrative Templates / System / Group Policy / "User Group Policy loopback processing mode"
       
    • Mode: Merge
    • (See the Explain tab of the GP for more information on the options in this GP)


For further information, see the following links: (Provided as a courtesy)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.