As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

That seems to have a few consequences, assuming I under the situation correctly.

Since the Group Policy OUs are not tied directly to the OUs in ADUC:

1. This adds more manual effort to create (replicate) the names of each OU as one sees it in ADUC in GPMC, whereas it seems like it would make a lot of sense to at least have an option to "scan and import" the actual OU structure under a given domain in ADUC into GPMC in an automated fashion, even to serve as a skeleton structure which you can alter afterwards.

2. I can see potential typos or slight deviations in OU names causing mismatches that might not be initially caught, such as if an OU in ADUC had two parts with a space in between and in GPMC the space was missing (or worse: if a space is added at the end); or an OU with a plural word is accidentally typed without an -s at the end (Department vs Departments), etc. Also what does this mean for capitalization mismatches? Are the OUs case sensitive between ADUC and GPMC? Like camelCased (ADUC) vs camelcased (GPMC).

3. If in ADUC you decide to drag an existing OU under another OU this structural change will not be reflected in GPMC, as well as any other addition, deletion, or renaming operation change not being reflected. It seems like a simple linking of the objects would remedy that.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any inconsistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and matching validation checks for consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves, so the GPOs would follow the objects no matter what you did to them; whereas I read somewhere that now GPOs "do not belong to a AD object", in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation and there is some method of linking the two.

Thanks for patiently explaining this to a Linux Admin.

[Disclaimer: This question was based on flawed impressions. Take with a very small grain of salt, or no salt at all.]

As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any inconsistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and matching validation checks for consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves, so the GPOs would follow the objects no matter what you did to them; whereas I read somewhere that now GPOs "do not belong to a AD object", in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation [Edit: Yes].

Thanks for patiently explaining this to a Linux Admin.

As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

That seems to have a few consequences, assuming I under the situation correctly.

Since the Group Policy OUs are not tied directly to the OUs in ADUC:

1. This adds more manual effort to create (replicate) the names of each OU as one sees it in ADUC in GPMC, whereas it seems like it would make a lot of sense to at least have an option to "scan and import" the actual OU structure under a given domain in ADUC into GPMC in an automated fashion, even to serve as a skeleton structure which you can alter afterwards.

2. I can see potential typos or slight deviations in OU names causing mismatches that might not be initially caught, such as if an OU in ADUC had two parts with a space in between and in GPMC the space was missing (or worse: if a space is added at the end); or an OU with a plural word is accidentally typed without an -s at the end (Department vs Departments), etc. Also what does this mean for capitalization mismatches? Are the OUs case sensitive between ADUC and GPMC? Like camelCased (ADUC) vs camelcased (GPMC).

3. If in ADUC you decide to drag an existing OU under another OU this structural change will not be reflected in GPMC, as well as any other addition, deletion, or renaming operation change not being reflected. It seems like a simple linking of the objects would remedy that.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any inconsistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and validation of consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves whereas I read somehwere that now GPOs "do not belong to a AD object" in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation and there is some method of linking the two.

Thanks for patiently explaining this to a Linux Admin.

As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

That seems to have a few consequences, assuming I under the situation correctly.

Since the Group Policy OUs are not tied directly to the OUs in ADUC:

1. This adds more manual effort to create (replicate) the names of each OU as one sees it in ADUC in GPMC, whereas it seems like it would make a lot of sense to at least have an option to "scan and import" the actual OU structure under a given domain in ADUC into GPMC in an automated fashion, even to serve as a skeleton structure which you can alter afterwards.

2. I can see potential typos or slight deviations in OU names causing mismatches that might not be initially caught, such as if an OU in ADUC had two parts with a space in between and in GPMC the space was missing (or worse: if a space is added at the end); or an OU with a plural word is accidentally typed without an -s at the end (Department vs Departments), etc. Also what does this mean for capitalization mismatches? Are the OUs case sensitive between ADUC and GPMC? Like camelCased (ADUC) vs camelcased (GPMC).

3. If in ADUC you decide to drag an existing OU under another OU this structural change will not be reflected in GPMC, as well as any other addition, deletion, or renaming operation change not being reflected. It seems like a simple linking of the objects would remedy that.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any inconsistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and matching validation checks for consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves, so the GPOs would follow the objects no matter what you did to them; whereas I read somewhere that now GPOs "do not belong to a AD object", in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation and there is some method of linking the two.

Thanks for patiently explaining this to a Linux Admin.

As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

That seems to have a few consequences, assuming I under the situation correctly.

Since the Group Policy OUs are not tied directly to the OUs in ADUC:

1. This adds more manual effort to create (replicate) the names of each OU as one sees it in ADUC in GPMC, whereas it seems like it would make a lot of sense to at least have an option to "scan and import" the actual OU structure under a given domain in ADUC into GPMC in an automated fashion, even to serve as a skeleton structure which you can alter afterwards.

2. I can see potential typos or slight deviations in OU names causing mismatches that might not be initially caught, such as if an OU in ADUC had two parts with a space in between and in GPMC the space was missing (or worse: if a space is added at the end); or an OU with a plural word is accidentally typed without an -s at the end (Department vs Departments). Also what does this mean for capitalization mismatches? Are the OUs case sensitive between ADUC and GPMC? Like camelCased (ADUC) vs camelcased (GPMC).

3. If in ADUC you decide to drag an existing OU under another OU this structural change will not be reflected in GPMC, as well as any other addition, deletion, or renaming operation change not being reflected. It seems like a simple linking of the objects would remedy that.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any consistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and validation of consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves whereas I read somehwere that now GPOs "do not belong to a AD object" in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation and there is some method of linking the two.

Thanks for patiently explaining this to a Linux Admin.

As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

That seems to have a few consequences, assuming I under the situation correctly.

Since the Group Policy OUs are not tied directly to the OUs in ADUC:

1. This adds more manual effort to create (replicate) the names of each OU as one sees it in ADUC in GPMC, whereas it seems like it would make a lot of sense to at least have an option to "scan and import" the actual OU structure under a given domain in ADUC into GPMC in an automated fashion, even to serve as a skeleton structure which you can alter afterwards.

2. I can see potential typos or slight deviations in OU names causing mismatches that might not be initially caught, such as if an OU in ADUC had two parts with a space in between and in GPMC the space was missing (or worse: if a space is added at the end); or an OU with a plural word is accidentally typed without an -s at the end (Department vs Departments), etc. Also what does this mean for capitalization mismatches? Are the OUs case sensitive between ADUC and GPMC? Like camelCased (ADUC) vs camelcased (GPMC).

3. If in ADUC you decide to drag an existing OU under another OU this structural change will not be reflected in GPMC, as well as any other addition, deletion, or renaming operation change not being reflected. It seems like a simple linking of the objects would remedy that.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any inconsistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and validation of consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves whereas I read somehwere that now GPOs "do not belong to a AD object" in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation and there is some method of linking the two.

Thanks for patiently explaining this to a Linux Admin.