Re: Best location for policies
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 10/06/05
- Next message: chenzheng123_at_gmail.com: "ntbackup faile to restore"
- Previous message: Colin Nash [MVP]: "Re: Can encryrpted packets be cracked by middle man?"
- In reply to: Grace: "Best location for policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 Oct 2005 22:53:22 -0400
Grace,
I think that you have some pretty good advice. Essentially you create an OU
structure that facilitates implementing GPOs. Also, remember that, as
already stated, that you can create a GPO and link it to any OU. You can
then go and link that GPO to any other OU as you deem necessary. Just
remember that if you have any conflicting settings that the GPO that is
applied last wins. And, as already stated, that there is a specific pecking
order ( LSDOU ).
Also keep in mind that there are two sides to each GPO: the computer
configuration side and the user configuration side. Generally speaking, any
settings that are set in the computer configuration side will affect only
computer account objects. You would link this GPO to an OU ( using the OU
as the main example; remember, there are actually four levels: Local, Site,
Domain, OU and sub-OU ) that contains the computer account objects. Should
there be any user account objects in this OU they would not be affected by
this GPO. Likewise for the user configuration side.
I would suggest that you do not delete any GPOs [ remember, in the basic
interface there are two options: remove the link to that OU ( where the GPO
still exists, you just simply removed the link to that particular OU ) and
remove the link and delete the GPO ( where you not only remove the link to
that particular GPO, you also are deleting the GPO....be careful doing
this... )].
And you really do not want to remove the two default GPOs ( Default Domain
and Default Domain Controllers ) unless you have very specific reasons and
are quite aware of everything involved....
-- Cary W. Shultz Roanoke, VA 24012 WIN2000 Active Directory MVP http://www.activedirectory-win2000.com (soon to be updated!!!) http://www.grouppolicy-win2000.com (soon to be updated!!!) "Grace" <yyy@yyy.com> wrote in message news:ewyLRtcyFHA.720@TK2MSFTNGP15.phx.gbl... > Please advice: > > I have a small Windows 2000 domain: 200 users, 4 Win2k Servers, 4 Win2k3 > servers, 1 Exchange 5.5. I created an OU for Our Computers (had to name > it > differently since there already is a Computer container), with > Workstations > and Notebooks OUs below, and an OU for User Accounts. I have a Test OU > and > TSServer OU since I have a separate policy for TS users (works great BTW). > > At the moment, I have 2 policies: one for Our Computers OU - it has a few > registry entries, security related, picked from the policy options, and a > policy for User Accounts OU that locks down users. I don't have > domain-level security policy (passwords, etc.) created yet. > I am ready to implement Windows Update policy w/WSUS server - it works > beautifully in test environment. > > I am not sure what's the best way to organize policies. I read somewhere > that it's convenient to create a separate OU for all policies and just > link > them to OUs as needed. If yes, how do I disable then delete the current > policies after recreating them for the new OU? > > Any pointers/advice from the real world greatly appreciated... > > Grace > > >
- Next message: chenzheng123_at_gmail.com: "ntbackup faile to restore"
- Previous message: Colin Nash [MVP]: "Re: Can encryrpted packets be cracked by middle man?"
- In reply to: Grace: "Best location for policies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
