3

This is not a duplicate. This question is much more detailed than "What is group policy". Mods need to be a little less aggressive around here.

I'd like to push out a Windows Firewall: Allow remote administration exception properties group policy to all computers connected to my DC. The instructions from MS are here, the relevant line is "Right-click the selected OU, and click Group Policy Update…". If I try to update the Users GPO it says there are no computer objects. If I try to add a "Computers" object, it says it already exists. The only thing in the tree that I can update is the Domain Controllers object; that doesn't seem right.

It's very confusing. If I can't add it, how come I can't see it? I don't have any filters turned on.

The whole point of this is to be able to force a GP update on all computers in the domain. The instructions that I linked imply that I can do that via the GPMC but I don't see any way to accomplish that.

GPMC tree

jcollum
  • 416
  • 2
  • 5
  • 15
  • 1
    Your question boils down to the simple fact that you don't understand enough about Group Policy (and Active Directory, I guess) to administer it, which is why this question is marked as a duplicate of the canonical question about the basics of Group Policy. – HopelessN00b Mar 17 '15 at 17:31
  • The distinction between an 'OU' and a 'container' tho – the underlying issue – is pretty distinct from how Group Policy works in general. The top-voted answer on the canonical question doesn't even mention 'containers'. – Kenny Evitt Jul 21 '17 at 19:47

2 Answers2

5

GPOs can only be linked to Organizational Units (OUs), but the default "Computers" folder in an Active Directory domain is a container, not an OU, thus you can't link GPOs to it; but you can't create an OU called "Computers", because there already is an object with that name. You should have a look at your domain structure using the "Active Directory Users and Computers" console, which will show you all objects inside your domain, as opposed to the GPMC which only shows OUs and GPOs.

jcollum
  • 416
  • 2
  • 5
  • 15
Massimo
  • 68,714
  • 56
  • 196
  • 319
  • 2
    The OP blurred the prefix on the "____ Users" OU, it is not named "Users" alone. – jscott Mar 16 '15 at 19:40
  • Ok, I completely missed the blurring because he also referred to it as "Users" ("If I try to update the Users GPO..."). – Massimo Mar 16 '15 at 19:43
  • How would I push a GPUpdate to all computers with AD? I don't see that option. The GP update is the reason I started this whole thing. – jcollum Mar 16 '15 at 19:44
  • You can only force a Group Policy update on a specific OU; if your computers aren't located inside OUs, you are out of luck. You should design a proper OU structure and use it to organize your domain and your GPOs. – Massimo Mar 16 '15 at 19:48
  • I didn't set all this up. I'd like to add a Computers OU but it says that that is already present. Yet I can't see it. Still confused. I've updated my question. – jcollum Mar 16 '15 at 19:49
  • You can't see it because there is a *container* called "Computers", but that console doesn't display containers, it only displays OUs. Use ADUC and you'll see it. – Massimo Mar 16 '15 at 19:50
  • A group policy object (GPO) is applied to **all** user and computer accounts in the organizational units (UOs) that GPO is linked to **where** the accounts match the GPO security filtering in the scope-tab. By default the security filtering is set to *Authenticated Users (and computers)*. By default, GPO settings are inherited. – Daniel Mar 16 '15 at 19:50
  • @Massimo yes, I can see it in the ADUC but the document I linked implies I can perform a GP update to all computers in my org. I don't see how. – jcollum Mar 16 '15 at 20:01
  • You can force an update *on all computers inside a OU*. If you really have such a strong need to do it immediately, then you can simply create an OU, place all your computers in it and then force an update on that OU. Otherwise, just wait a couple of hours: GPOs are automatically refreshed every 60-90 minutes, there really is no need to force updates anywhere. – Massimo Mar 16 '15 at 20:29
  • So the issue here is that no one ever set up an OU that contains all the computers? I guess I should make one called "AllComputers" and be done with it... – jcollum Mar 16 '15 at 20:51
  • GPOs *can* be linked to an entire domain so the first part of the first sentence isn't strictly correct. Doing that is also the easiest way for the OP to solve their problem. The fact that the builtin 'containers' aren't OUs and can't be used as such is, from the perspective of a user (of Active Directory and its various tools), an annoying 'gotcha' – there's no reasonable, let alone obvious, rationale why that would be. – Kenny Evitt Jul 31 '17 at 13:35
1

My thoughts:

First of all, you clearly need to resolve why you're not seeing the Computers container. You may need to check your privileges, and then the ACLs applied to the object.

Then:

  1. Create a new GPO that includes your desired firewall settings
  2. In the filtering options, specify a single test machine, e.g.: myserver$
  3. Link the new GPO to the root of your Computers container ...OR... to the root of your domain (if you can't resolve the first issue)
  4. Perform a GPUpdate /force /boot on myserver
  5. Use Resultant Set of Policy (RSoP) to confirm that the new policy settings have reached the server
  6. Once happy, expand the filter group or change it to Authenticated Users

Edited.

Simon Catlin
  • 5,222
  • 3
  • 16
  • 20