I have set up my WS2k8 R2 AD like so:
The OU "OU1" contains a security group called "GROUP1". I have applied some group policy to "OU1". The group policy is enforced.
My users are located in the default "Users" OU. The users are members of the group "GROUP1".
The problem is that the GP does not get applied to the users.
If I create users in the "OU1" OU, the policies get applied as they should.
Very grateful, James
Group policy isn't applied on groups like that. It's applied to computer or user objects within the OU it's applied.
If you want a group policy to apply to just a specific group, you need to attach the group policy to your entire user OU, then use Group Policy Filtering to restrict it to just the group of users you require.
That's because Group Polices are applied based on where the user object exists not on any group the user is in. This is one of the more confusing aspects of Group Policy Objects. It says group in the name, obviously it should apply to groups right? No, at least not without extra work. In order to have the GPO apply to a user, it has to be set on an OU in the user's path to the root of the domain.
To set it so that group membership actually forces GPO application, there is a procedure for this:
http://technet.microsoft.com/en-us/library/cc786636%28WS.10%29.aspx
That works a bit differently in that you have to apply it to everyone, but you set it so only members of a specific group actually execute it. So, you'd set it on your User's OU, and only members of the configured group would get it.
What you need to do is enable GPO Loopback Processing on the computer(s) the users are logging into. Loopback Processing forces the gpo's to be applied on the users logging into these computers regardless of where the user objects are located in your AD. You can find more detail in this KB: http://support.microsoft.com/kb/231287 .
What you are seeing is the default behavior. Group Policies are set at the OU level and apply to the objects in that OU. Groups aren't expanded to have the group policy applied.
The easiest solution might be to move the users to the OU1 OU. You would need to make sure that there are no other group policies applied specifically to the Users OU.