Best way to apply policy to all computers except servers

  • Thread starter Thread starter Deb H
  • Start date Start date
D

Deb H

Trying to decide what the best way to apply certain features such as event
log settings and other computer related GPO settings. Currently I have all
computers in their OUs designed by location. Should I also create a group and
add all computers to the group, then add group to a certain policy affecting
the event logs. Or should I adjust all the OUs?
 
Deb,

Deb said:
Trying to decide what the best way to apply certain features such as event
log settings and other computer related GPO settings. Currently I have all
computers in their OUs designed by location. Should I also create a group and
add all computers to the group, then add group to a certain policy affecting
the event logs. Or should I adjust all the OUs?
Click to expand...

avoid security filtering (that is tweaking permissions on the Group
Policy) as far as you can. That slows down Group Policy application. If
possible, re-organize the OU structure so that you can create and add
your GPOs more easily or link the policy in question to multiple
locations in the hierachy.

cheers,

Florian
 
We have our OU structure setup as follows (simplified):

MAIN OU (Contains our client PC's and users)
--- SERVERS OU (Servers only under the Main OU)

The main OU has server Pollicies applied to it (Default domain policy,
Firewall, WSUS for clients, etc).
The Server OU has only two set for it (Remote Desktop setting and WSUS).

Yet, I can see from GPMC that the parent OU's Group Policies are being
inherited to the Server OU. Can I simply select 'block inheritance' to
prevent these unwanted ones from being applied (ie: Client Firewall, WSUS
for Clients)?


Florian Frommherz said:
Deb,

Deb said:
Trying to decide what the best way to apply certain features such as
event log settings and other computer related GPO settings. Currently I
have all computers in their OUs designed by location. Should I also
create a group and add all computers to the group, then add group to a
certain policy affecting the event logs. Or should I adjust all the OUs?
Click to expand...

avoid security filtering (that is tweaking permissions on the Group
Policy) as far as you can. That slows down Group Policy application. If
possible, re-organize the OU structure so that you can create and add your
GPOs more easily or link the policy in question to multiple locations in
the hierachy.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Click to expand...
 
Barkley said:
We have our OU structure setup as follows (simplified):

MAIN OU (Contains our client PC's and users)
--- SERVERS OU (Servers only under the Main OU)
Click to expand...

IMHO, the easiest way to handle it:
MAIN OU
- Link all GPOs that are for both kind of computers
--- SERVERS OU
- link only GPOs with server settings
--- WORKSTATIONS OU
- link only GPOs with special client settings

Mark
 
Back
Top