Containers are used to segment and organize a network and were designed with specific uses and restrictions in mind. Is this the only reason why we can't link GPO to a Container and only to OU? Are there any more differences between a container and OU?
Asked
Active
Viewed 2,129 times
2 Answers
6
Why can't we link GPO to an AD container?
Primarily because a container object lacks the necessary gpLink and gpOptions attributes required to link a group policy object to it. Active Directory uses an LDAP database, and in that LDAP database are different kinds of objects and a hierarchy of inheritances such that certain objects can inherit attributes from their parent object above them. Some objects have certain attributes and some do not. For instance, user objects and computer objects both inherit from the same higher-level object, called user. (Confusing huh?) A computer is essentially a specialized type of user.
Containers are used to segment and organize a network and were designed with specific uses and restrictions in mind.
Don't understand what you're saying.
Is this the only reason why we can't link GPO to a Container and only to OU?
See the first question, above.
Are there any more differences between a container and OU?
You can't link a GPO to a container, and you should generally never try to remove or delete containers. Containers and OUs are two different (but similar) classes of objects. In general, containers are laid down by the system when you install AD or AD-integrated applications and in general shouldn't be messed with without very good reason. OUs on the other hand, are for you, the administrator, to play with to your heart's content. You create, move, and delete OUs and categorize your users and computers in whatever way makes sense for your organization. Also, there are certain systemFlags usually assigned to containers that forbid you from moving or deleting them.
Ryan Ries
- 55,481
- 10
- 142
- 199
0
Linking GPOs to Active Directory Containers In this article the first paragraph says:
A GPO can be associated (linked) to one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be linked to the same GPO, and a single container can have more than one GPO linked to it. If multiple GPOs are linked to one container, you can prioritize the order in which GPOs are applied.
And for complement the information, on this article says: Active Directory Structure and Group Policy
It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computers containers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance.
Gamaliel
- 111
- 2