Best location for policies

  • Thread starter Thread starter Grace
  • Start date Start date
G

Grace

Sorry about crossposting but I omited these two newsgroups in my original
post.

Please advice:

I have a small Windows 2000 domain: 200 users, 4 Win2k Servers, 4 Win2k3
servers, 1 Exchange 5.5. I created an OU for Our Computers (had to name it
differently since there already is a Computer container), with Workstations
and Notebooks OUs below, and an OU for User Accounts. I have a Test OU and
TSServer OU since I have a separate policy for TS users (works great BTW).

At the moment, I have 2 policies: one for Our Computers OU - it has a few
registry entries, security related, picked from the policy options, and a
policy for User Accounts OU that locks down users. I don't have
domain-level security policy (passwords, etc.) created yet.
I am ready to implement Windows Update policy w/WSUS server - it works
beautifully in test environment.

I am not sure what's the best way to organize policies. I read somewhere
that it's convenient to create a separate OU for all policies and just link
them to OUs as needed. If yes, how do I disable then delete the current
policies after recreating them for the new OU?

Any pointers/advice from the real world greatly appreciated...

Grace
 
Honestly, with such a small domain I'd use the KISS method (keep it simple,
stupid). I'd create a servers OU, put all your servers in it and create a
WSUS GPO that sets AU options to 3(download and prompt for install). Then
add a new GPO to the Our Computers OU that auto-installs and reboots at 3am
(AU option 4). The idea of a GOP-holder OU is a good one, but I see it more
in large environments. And to tell you the truth, that goes away once you
move to a 2003 domain and start using the Group Policy Management Console.

Again, this is a KISS approach to your situation. Any more detail gets into
the land of consulting - and as we all know that not the kind of thing these
newsgroups are for. I wish you luck.

Jeff Centimano
MVP - Windows Server
 
Sorry about crossposting but I omited these two newsgroups in
my original
post.

Please advice:

I have a small Windows 2000 domain: 200 users, 4 Win2k
Servers, 4 Win2k3
servers, 1 Exchange 5.5. I created an OU for Our Computers
(had to name it
differently since there already is a Computer container), with
Workstations
and Notebooks OUs below, and an OU for User Accounts. I have
a Test OU and
TSServer OU since I have a separate policy for TS users (works
great BTW).

At the moment, I have 2 policies: one for Our Computers OU -
it has a few
registry entries, security related, picked from the policy
options, and a
policy for User Accounts OU that locks down users. I don't
have
domain-level security policy (passwords, etc.) created yet.
I am ready to implement Windows Update policy w/WSUS server -
it works
beautifully in test environment.

I am not sure what's the best way to organize policies. I
read somewhere
that it's convenient to create a separate OU for all policies
and just link
them to OUs as needed. If yes, how do I disable then delete
the current
policies after recreating them for the new OU?

Any pointers/advice from the real world greatly appreciated...

Grac
Click to expand...

That would be a great way if you only had windows 2000. In w2k and
w2k3 if you use the default group policy editor (which sucks) you need
to assign an OU when you create a GPO. If you use the GPMC (works with
wxp and w2k3) you can just create the GPO and after that link it to
whatever OU you want. The GPMC is VERY COOL. It provides lots of fun
stuff like backing up ans restoring GPOs.
See:
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
http://www.microsoft.com/downloads/...24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
 
A GPO can be linked to multiple OUs at the same time, so if you decide to
have an OU as a place to have all of your GPOs, you just need to link the
GPOs you already have to that OU. You don't need to create a new GPO just
to collect them together in one place.

To "remove" a GPO from an OU:

in GPMC
right click the GPOs under the OU
click Delete.

You get a warning that this deletes the link, but not the GPO itself, which
is usually what you want to do anyway..

Before GPMC existed (or I knew about it), that's what I did - created an OU
for GPOs, created the GPOs linked to that OU then linked them to the other
OUs where they were really needed.

GPMC exposes a built-in container that has every GPO in the domain in it, so
the need for a OU to "house" the GPOs is considerably diminished or
eliminated with that tool. You can use the context menu for GPOs in this
container to delete the actual GPO, backup GPOs, etc.

GPMC is really an essential tool for working with GPOs, so if you don't have
it yet I strongly suggest you get it and use it
(http://www.microsoft.com/windowsserver2003/gpmc/default.mspx). You can
install this on any Windows XP, Windows 2000 or Windows 2003 computer to
manage GPOs in the domain, just like you can do with Active Directory Users
and Computers (adminpak.msi).
 
Back
Top