3

[Disclaimer: This question was based on flawed impressions. Take with a very small grain of salt, or no salt at all.]

As a Linux admin who is unwillingly being thrust back into Windows administration after just shy of a decade of not touching Windows Servers I'm a little puzzled at a few things about Group Policy these days compared to how it used to be done way back when.

I still remember the days when there was a group policy tab on certain objects in ADUC (say with Windows Server 2003) such as OUs (if I recall correctly), but it looks like now ADUC and Group Policy have now been segregated into different management consoles and de-linked, with GPMC being the place for GPOs now. I'm sure there's some great reasons for that. However, I have a few questions now.

Why does it seem that the structure and names of OUs, and association of GPOs with actual AD objects in ADUC are completely segregated from their counterparts GPMC? It seems like the GP Admin must be vigilant to mimic any changes made to the naming or structure of OUs in ADUC in GPMC as well, but I can see this inevitably going awry since mistakes and oversights will inevitably happen from time to time.

Obviously an IT Admin should be smart and vigilant enough to ensure there aren't any inconsistencies, but how is decoupling ADUC and GPMC an actual improvement technologically speaking? It seems like automation and matching validation checks for consistency between the two should be not only possible but also trivial. Back in Windows Server 2003 it seems like the GPOs were directly associated with the AD objects themselves, so the GPOs would follow the objects no matter what you did to them; whereas I read somewhere that now GPOs "do not belong to a AD object", in terms of direct association and linkage. What is the reason behind that change?

But perhaps I've just been reading the wrong documentation and completely misunderstand the situation [Edit: Yes].

Thanks for patiently explaining this to a Linux Admin.

Improve this question

3 Answers 3

Reset to default
10

The OUs you see in GPMC are actually the same OUs you see in ADUC. Rename in one, and it gets renamed in the other (pending replication if not connected to the same DC) after refreshing the view.

In short, they're still linked the same as they always have been. You just don't see any non-GPO child objects in GPMC because the app chooses not to display them.

Improve this answer
2
  • Oh, whoops. I was indeed wrong about the object links and renaming operations. I was seeing OUs in GPMC that were not in ADUC, but in fact ADUC OUs do show in GPMC. So this was a misunderstanding after all. I'll probably nix this question then. Thanks for the sanity check. Commented Jun 19, 2018 at 0:17
  • 3
    Yeah, it's all still the same underlying LDAP database. ADUC and GPMC are just different filtered views of the data. Commented Jun 19, 2018 at 0:19
7

Since the Group Policy OUs are not tied directly to the OUs in ADUC

Group policies are very tightly integrated into AD, and linked to OUs.

  • The physical files for a group policy are stored in SYSVOL \\example.org\SYSVOL\example.org\Policies)
  • The main place a policy is stored is in the CN=Policies,CN=System,DC=example,DC=org container
  • Policies are linked to OUs via the gPLink property of a given OU.
    • See Get-ADObject 'OU=Domain Controllers,DC=example,DC=org' -Properties DistinguishedName, gpLink

A lot of your questions seem to be about miss-match between the two tools. It is possible the two tools to get out of date if you have both of them open. Or perhaps you got connected to a different domain controller somehow and the replication of what you have saved hadn't completed. But the GPMC is certainly storing information about policies directly to the AD. If you force a refresh or wait a few minutes changes you made should sync up.

Improve this answer
5
  • Thanks. Yes, happily this was a misunderstanding. This makes my life less of a pain. I think I'll delete my oblivious question. Commented Jun 19, 2018 at 0:25
  • You don't have to delete it. This information could be useful for someone in the future. Commented Jun 19, 2018 at 0:26
  • It's fatally flawed from the outset though because I didn't double check my results before asking, and made an incorrect assumption by comparing configuration in an already setup domain which gave me the wrong impression. I'll get more hate mail if I leave it. :-) Commented Jun 19, 2018 at 0:30
  • If it's any consolation I've copied your answer in to a text file for my own edification, so at least I can benefit from it. Thanks for the reply! Commented Jun 19, 2018 at 0:36
  • I would really hope you aren't getting hatemail from here. Also, there are some negative side effects of deleting questions, if you delete too many. Your account can get rate-limited, or blocked from asking new questions. Commented Jun 19, 2018 at 0:38
3

One thing to note is that in the GPMC you won't see the default Computers or Users containers, because they are Containers and not OU's. GPO's cannot be linked to these containers. GPO's linked at the Domain root and GPO's linked at the Site level will be applied to objects in these two default containers.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.