Problem: GPOs are not applied for users but for machine


GPOs are not applied for users but for machine.


You have created a separate OU for your GPOs, maybe with other OUs beneath it. In the security filtering you defined a group or a user, who should get the gpo applied. See picture below ↓

Now the user does not get the gpo applied.


The user also has to be placed beneath the same OU the gpo is created in.

You can check this, if the GPO is shown for the user:

# samba-tool gpo list cscheini
GPOs for user cscheini
    MappedDriveUsers {FC11CD14-FB1E-41D4-BE2D-83362B4DFADE}
    Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}

Check the DN where the user is placed at the moment:

univention-ldapsearch -LLLo ldif-wrap=no uid=cscheini dn
dn: uid=cscheini,ou=MappedDriveDEPT,ou=GpoOU,dc=schein,dc=ig

You can move the account within the ldap-directory → check the user and click the “MORE ↓” dropdown and select “move to…” (Background of this picture)
Then you get the “confirmation popup” where you can select, where you want to move the user. With “MOVE LDAP OBJECT” the user is moved to the new location.