Best location for policies

  • Thread starter Thread starter Grace
  • Start date Start date
G

Grace

Please advice:

I have a small Windows 2000 domain: 200 users, 4 Win2k Servers, 4 Win2k3
servers, 1 Exchange 5.5. I created an OU for Our Computers (had to name it
differently since there already is a Computer container), with Workstations
and Notebooks OUs below, and an OU for User Accounts. I have a Test OU and
TSServer OU since I have a separate policy for TS users (works great BTW).

At the moment, I have 2 policies: one for Our Computers OU - it has a few
registry entries, security related, picked from the policy options, and a
policy for User Accounts OU that locks down users. I don't have
domain-level security policy (passwords, etc.) created yet.
I am ready to implement Windows Update policy w/WSUS server - it works
beautifully in test environment.

I am not sure what's the best way to organize policies. I read somewhere
that it's convenient to create a separate OU for all policies and just link
them to OUs as needed. If yes, how do I disable then delete the current
policies after recreating them for the new OU?

Any pointers/advice from the real world greatly appreciated...

Grace
 
First off you already have a default domain Group Policy and it has
password/account policy configured and of course you can modify it for your
needs.

You don't need to have a separate OU for each Group Policy. You can link a
number of Group Policies to an OU if need. Keep in mind that Group Policy is
applied in this order -- local>site>domain>OU>child OU where if you have
more than one Group Policy with identical settings defined the setting
defined in the container closest to the user/computer applies unless there
is a Group Policy in the path with no override enabled. If you have more
than one GPO linked to a container keep in mind that they are applied from
the bottom up and the GPO at the top of the list has the highest priority.
So structure your OUs based on your total needs for organization, applying
Group Policy, and delegating authority to users. OU's could be all in a row
under the domain container or in a tree [or multiple trees] fashion
depending on your needs. --- Steve
 
Please advice:

I have a small Windows 2000 domain: 200 users, 4 Win2k
Servers, 4 Win2k3
servers, 1 Exchange 5.5. I created an OU for Our Computers
(had to name it
differently since there already is a Computer container), with
Workstations
and Notebooks OUs below, and an OU for User Accounts. I have
a Test OU and
TSServer OU since I have a separate policy for TS users (works
great BTW).

At the moment, I have 2 policies: one for Our Computers OU -
it has a few
registry entries, security related, picked from the policy
options, and a
policy for User Accounts OU that locks down users. I don't
have
domain-level security policy (passwords, etc.) created yet.
I am ready to implement Windows Update policy w/WSUS server -
it works
beautifully in test environment.

I am not sure what's the best way to organize policies. I
read somewhere
that it's convenient to create a separate OU for all policies
and just link
them to OUs as needed. If yes, how do I disable then delete
the current
policies after recreating them for the new OU?

Any pointers/advice from the real world greatly appreciated...

Grace

That would be a great way if you only had windows 2000. In w2k and
w2k3 if you use the default group policy editor (which sucks) you need
to assign an OU when you create a GPO. If you use the GPMC (works with
wxp and w2k3) you can just create the GPO and after that link it to
whatever OU you want. The GPMC is VERY COOL. It provides lots of fun
stuff like backing up ans restoring GPOs.
See:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
 
Jorge_de_Almeida_Pinto said:
That would be a great way if you only had windows 2000. In w2k and
w2k3 if you use the default group policy editor (which sucks) you need
to assign an OU when you create a GPO. If you use the GPMC (works with
wxp and w2k3) you can just create the GPO and after that link it to
whatever OU you want. The GPMC is VERY COOL. It provides lots of fun
stuff like backing up ans restoring GPOs.
See:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-location-policies-ftopict429032.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1438317

Jorge, Steve, thanks for your advice. I will use GPMC and all should be
fine... ;-) Now what about removing current policies if I need to rearrange
OUs. Do I just move users and they will be fine? What about computers?

Thanks,

Grace
 
You can simply unlink a Group Policy from and OU if you do not want to apply
it to that OU anymore. I would recommend that you do not delete unused GPOs
right away [never delete default domain or domain controller GPO] as you may
want to refer to them for their settings or use them again. If after a
period of time you have unlinked them and are sure you have no need for them
then you can delete them. The links below contain more details on linking
and unlinking Group Policies. --- Steve

http://www.microsoft.com/technet/pr...elp/2b7cfc5f-f4f2-4e33-b937-c6a52ffae0c6.mspx
http://www.microsoft.com/technet/pr...elp/5942c4ff-d9f3-41c5-a36b-74e74f777b51.mspx
 
Grace,

I think that you have some pretty good advice. Essentially you create an OU
structure that facilitates implementing GPOs. Also, remember that, as
already stated, that you can create a GPO and link it to any OU. You can
then go and link that GPO to any other OU as you deem necessary. Just
remember that if you have any conflicting settings that the GPO that is
applied last wins. And, as already stated, that there is a specific pecking
order ( LSDOU ).

Also keep in mind that there are two sides to each GPO: the computer
configuration side and the user configuration side. Generally speaking, any
settings that are set in the computer configuration side will affect only
computer account objects. You would link this GPO to an OU ( using the OU
as the main example; remember, there are actually four levels: Local, Site,
Domain, OU and sub-OU ) that contains the computer account objects. Should
there be any user account objects in this OU they would not be affected by
this GPO. Likewise for the user configuration side.

I would suggest that you do not delete any GPOs [ remember, in the basic
interface there are two options: remove the link to that OU ( where the GPO
still exists, you just simply removed the link to that particular OU ) and
remove the link and delete the GPO ( where you not only remove the link to
that particular GPO, you also are deleting the GPO....be careful doing
this... )].

And you really do not want to remove the two default GPOs ( Default Domain
and Default Domain Controllers ) unless you have very specific reasons and
are quite aware of everything involved....

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
Back
Top