VMware Horizon Community
NelsonCandela
Enthusiast
Enthusiast
‎01-10-2019 04:23 AM

Difference between users in a OU rather than users in a group in a OU

Hey there,

I was wondering if you could help me clarify the following question:

What is the difference between a user directly placed in a OU rather than having this user being part of a user group in the exact same OU?

For clarification:

For my UEM test I have created a OU called Horizon.

Within that OU I placed my RDS Hosts as Computer Objects and a bunch of test user acocunts.

Result: they all work fine. User information is logged as specified in the "FlexEngine logging" GPO in my UEM user share as expected.

Now it comes to managing real world users but they exists in other OUs already.

To come by this issue within this newly created OU Horizon I created a user group and added the existing accounts.

Result: they all are able to log in but policies are not applied and no user folder is created in the UEM user share and thus also no logging is done nowhere.

What options do I have to work with people that already exist in other OUs but need the UEM functionality nonetheless so have my UEM restrictions/settings applied to users in a user group rather than users directly in that OU?

I have loooots of questions marks above my head right now -- hopefully you will be able to help me.

If anthing is not clear please ask and I'll try to specify in more detail.

Thanks a lot in advance!

NC

2019-01-10_132158.jpg

Preview file
294 KB
0 Kudos
2 Replies
sjesse
Leadership
Leadership
‎01-10-2019 04:38 AM

In the computer ou, where the uem gpos are, there is probably a gpo setting set for Loop Back processing set to replace. Its a recommeneded setting by UEM I think, that setting tells those computers to ignore user based GPOs. You can test changing that to merge if its set, that will let both work, just the computer based ones take precedence of the user based ones

https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy

NelsonCandela
Enthusiast
Enthusiast
‎01-12-2019 07:56 AM

Hey sjesse,

thanks for getting back to me and sorry for my late reply.

Shame on me, but as I wasn't aware of this setting it hasn't eben been enabled at all. But still, with the "loopback processing" enabled nothing changed in both modes.

The thing is that I got confused.

GPOs only apply to user accounts or PCs, it does not affect users in a group. OK!

To solve this problem eventually I left the new setting enabled.

Then I re-structured my GPO (OU Horizon containing a few of the test accounts and user groups and in that OU is another OU "RDSH-Farm" containing both my RDSH machines.

Within the Group Policy Management I re-attached the UEM policy and added the group containing the Horizon User accounts that were not for testing and also added both of the RDSH machines. See the following screenshot for more details:

2019-01-12_165317.jpg

I have no idea if this is the best way to do it, nor do I know if this is even correct, but this scenario works, all entitled users are able to log in and logging is done, settings get applied and it looks okay to me 🙂

So thanks for your help; if you have another idea in terms of security filtering or would like to comment on my way and settings, I will be happy to learn your thoughts.

Best regards

NC

Preview file
233 KB
0 Kudos