questions on group policy - OU vs local computer GP (gpedit.msc)

[tractng]

Guys,

I was thinking about setting up GP on the OU level. How do I go about
setting the policies up if I want to use settings on both the users &
computer configurations? Remember that some of the settings are
available to either the users or computer configurations, but not both.

What if the users don't belong to that OU? Do I add them in the
"security" tab to so the policy applies to them as "read". I tried it
but no luck.

But when I use GP on the local policy using gpedit.msc, it works great.
No matter who logs in, the configuration works.


Thanks in advance.

Tony

 

[Dave Britt]

Tony

I would recommend that you configure a small lab environment for testing and
moving forward.

As a start it is common to seperate users from machines for example you may
have a "Workstations OU" with all of your computer accounts in. On this OU
you would configure you Computer Configuration. If you are looking for
different settings for Laptops vs Desktops you could create two OU's one for
Laptops and One for Desktops.

When the machine boots up you get the message "applying computer settings"
at which point the machine is querying Active Directory for all of the
policies that apply to that machine. It works this out by looking at Local
Policy, Site Policy, Domain Policy and the OU policy to find the machines
computer Account. Any group policy that have a Computer Configuration within
them are processed and effect the machine.

Users can then be created and seperated out into different Organisational
Units, maybe by Department or location, the key being create OU's where you
belive different groups of settings are required. For example you may have
an OU for sales which has very restrictive policy setting, however for
marketing may they need to be different.

The second phase of group policy is then when the user logs on and group
policy is processed again looking for all User Setting Local Machine, Site,
Domain and the OU for which the users account resides. Any Group Policy that
have User Configuration elements within them are processed and effect the
user.

Experiment in the Lab and come back for more info

 

[Gregorio Aranda]

Tony, I recommend you use for make easy on see the applications of the GPO,
the GPMC.

here you have the link

http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

Hope you will find this usefull,
Gregorio Aranda.

 

[Andreware]

I'm not trying to insult you, but let me clarify that:

Tony,

I recommend you use the GPMC, to make it easier to see how GPO is being
applied.

The link is:

http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

I hope this helps.

Gregorio Aranda

 

[Gregorio Aranda]

Sorry for my english, I'm spanish "from Spain" but I always try to help
everybody It is Internet, there is no skins and no language here.

¿Cómo va tu español?, El mío muy bien, gracias y controlo bastante como se
escribe, aunque pueda tener faltas ortográficas.
Translation:
How is going your spanish? mine fine, thanks. I almost write well, but maybe
you find some wrongs