Re: Best location for policies

From: Grace (yyy_at_yyy.com)
Date: 10/06/05

  • Next message: Shenan Stanley: "Re: ghstwalk, Outlook Express"
    Date: Wed, 5 Oct 2005 17:02:45 -0500
    
    

    "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1438317_b8a9e3b2f7910ee4b84fac4784d48776@windowsforumz.com...
    > "" wrote:
    > > Please advice:
    > >
    > > I have a small Windows 2000 domain: 200 users, 4 Win2k
    > > Servers, 4 Win2k3
    > > servers, 1 Exchange 5.5. I created an OU for Our Computers
    > > (had to name it
    > > differently since there already is a Computer container), with
    > > Workstations
    > > and Notebooks OUs below, and an OU for User Accounts. I have
    > > a Test OU and
    > > TSServer OU since I have a separate policy for TS users (works
    > > great BTW).
    > >
    > > At the moment, I have 2 policies: one for Our Computers OU -
    > > it has a few
    > > registry entries, security related, picked from the policy
    > > options, and a
    > > policy for User Accounts OU that locks down users. I don't
    > > have
    > > domain-level security policy (passwords, etc.) created yet.
    > > I am ready to implement Windows Update policy w/WSUS server -
    > > it works
    > > beautifully in test environment.
    > >
    > > I am not sure what's the best way to organize policies. I
    > > read somewhere
    > > that it's convenient to create a separate OU for all policies
    > > and just link
    > > them to OUs as needed. If yes, how do I disable then delete
    > > the current
    > > policies after recreating them for the new OU?
    > >
    > > Any pointers/advice from the real world greatly appreciated...
    > >
    > > Grace
    >
    > That would be a great way if you only had windows 2000. In w2k and
    > w2k3 if you use the default group policy editor (which sucks) you need
    > to assign an OU when you create a GPO. If you use the GPMC (works with
    > wxp and w2k3) you can just create the GPO and after that link it to
    > whatever OU you want. The GPMC is VERY COOL. It provides lots of fun
    > stuff like backing up ans restoring GPOs.
    > See:
    > http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
    >
    http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    http://www.windowsforumz.com/Active-Directory-location-policies-ftopict429032.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    http://www.windowsforumz.com/eform.php?p=1438317

    Jorge, Steve, thanks for your advice. I will use GPMC and all should be
    fine... ;-) Now what about removing current policies if I need to rearrange
    OUs. Do I just move users and they will be fine? What about computers?

    Thanks,

    Grace


  • Next message: Shenan Stanley: "Re: ghstwalk, Outlook Express"

    Relevant Pages

    • Re: Screen Saver GPO - Need to exclude one machine
      ... if the user accounts and computer accounts are located in /different/ ... The user policies applied to the user are processed followed by ... it has a note that policy processing should loop back and process the user ... > has no screen saver setting so it wil automatically use the user section. ...
      (microsoft.public.windows.server.active_directory)
    • Re: You Have Exceeded the Maximum Number of Computer Accounts
      ... you could set the policies at the root of your domain. ... I'll have a B please Bob. ... > you can redirect where computer and user accounts are created when they ...
      (microsoft.public.windows.server.general)
    • Re: Custom Shell and Account Switching
      ... > I use local policies for limiting the user environment. ... > not differs between user accounts like in a normal GPO in a domain- it is mandatory to everyone. ... > could not change the menu settings. ... How policies of your user account can affect Explorer that is launched under Admin account? ...
      (microsoft.public.windowsxp.embedded)
    • Re: Screen Saver GPO - Need to exclude one machine
      ... It certainly sounds like loopback processing is what you're after. ... are in a separate OU from your user accounts: ... after the policies associated with your user account are ... are logging into are applied. ...
      (microsoft.public.windows.server.active_directory)