Greetings, everyone! I am needing some advice on how to deploy some group policy objects to specific users stored on different OUs.
Let me set the stage: I work for a large school district, and have recently taken over the district's career center. The idea behind the career center is that students from different high schools around the city come in to take classes based on their choice
of career, such as radio broadcasting or auto mechanic and such. The AD structure is set up so that each school has their own OU. When a user (staff, student, etc.) is assigned to a school OU, they automatically are added to
their school's security group (i.e. EASTHIGH-STUDENT), and that when any user moves from one school to another, we have to move their AD account to that school's OU, which will remove the security group from the old school and apply the new school
security group.
For the career center, since we have students coming from different buildings every day, rather than trying to find a way to move their AD account from their high school OU to the career center OU, the previous techs created generic accounts (such as tv001, tv002, etc.) in AD and stored them in the career center OU. This way, teachers can assign students that particular generic account so that they can access the drives and printers from the career center, as well as access the career center network drives while they are at their home high school.
Since I have moved to the career center, and apparently I have more knowledge about group policy than most of the techs in the district, the district system engineers want me to remove all of the generic accounts from the career center OU, and have students use their own AD accounts. Obviously I also want to do this since the generic accounts are very confusing to me, but I'm trying to figure out the best way to do this.
For simplicity sake, I'm just going to start off by figuring out how to set up a group policy for mapping the career center drives. Now, I obviously know that the best way would be to create security groups for each career area, and that we would need to add students to those groups so that only those particular students would get the GPO for the career center, but my question is where would I like the group policies to? Do I need to link it at the root of the domain so that every OU is hit? Just curious about this.
Thanks!