Group policies with sub OUs are driving me crazy -> don't work as expected

Hi GPO-Experts, :slight_smile:

as you can see in this picture, I created some group policies and some OUs to organize them:

The entries highlighted in green do work, the one within the horizon folder is a computer policy, the entries highlighted in red to not work, they are user policies. If I move them in the root folder to the other working GPOs, everything is fine, but they are ignored within every sub OU I created.

I really don’t have any idea, how to further debug and fix this issue. Does someone else have?

Some specs at the end: single UCS primary node running 5.0-2 and Win11 / Srv2022 client for GPO testing.

Hopefully to get some ideas and wishing you all a warm Advent season.


they would only work if the users are also in the Horizen OU - for Users in the Benutzer OU you have to link it there or above


Thanks, that is strange, because we have the same setup in our company and here it works.
Same with MS DCs at other customers sites … users and computer OUs are separated always.

If I switch to your scenario, how can I archive GPOs only being used for users in groups XY AND computers in the sub OU?


I think, you misunderstood the scenario. I don’t have anything like this:
Every GPO is applied to “authenticated users”, it’s just a separation of computer groups in OUs.
And as I wrote before, the exact same scenario as above is running on our own UCS5 and the same scenario is running at a different customers infrastructure with MS DCs in use.
So, this is something, I don’t understand, why we have these issues with one customers UCS although we have no issues with our UCS5 and the same GPO settings.

It would be nice, if someone from Univention had any idea or could lead into a direction, where / who to debug this issue, because this is the first time I have these problems with an UCS.
I have turned on and looked at the log files for this on the Windows site, but cannot find any abnormality as to why it is not working as expected.

Maybe it’s an issue with the LDAP containers?
I created those containers for testing from the UCS WebUI and from a Windows AD Administration Tool and both ways didn’t work.