Windows 2000 Group Policies

I am new to Windows 2000 Active Directory Services.  I am currently trying to set up Group Policies for our organization.

There will be three groups:
  Internet Users
  NonInterner Users

I have not been able to find any "good" information on how to get this set up.  If someone could please give me a step by step answer on how to do this!

Who is Participating?
rcasteelConnect With a Mentor Commented:
OUs are actually used as the group.  Groups (Security Groups) are containers for assigning permissions to and grouping users together with common security requirements.  Security Groups are basically used for asigning common security IDs so they can be referred to in ACLs for resources such as files.  Contrary to popular belief, ACLs are NOT stored in active directory. ACLs are stored where ever the resouces that uses them is stored.  ACLs for files are stored with the file...

OUs are containers for delegating control and deploying software etc.  Basically you ARE putting the users in a group. The group just has to be an OU.

Since Groups reflect the security structure of your network, they aren't necessarily the best choice for representing the administrative structure of your network.  Since administrative needs are often different from the security needs, Microsoft uses OUs instead of groups.

I don't know how far you've already configured your stuff. Anyways, Group Policies can only be assigned to OU's (Organizational Unit). These represent the hierarchical structure of the Active Directory.

Easiest would be to create three OUs and to put the users in there.
Here's the skinny on GPOs

They can be applied to LOCAL MACHINES, DOMAINS, SITES, and OUs

The LOCAL GPO is always applied first.  you should not change the local policy of a machine.  This allows you to unscrew-up a machine adter you screwed up a policy.  

The Site Policy is applied next
then the Domain Policy
Then OU Policies are applied in the order of the OU hierarchy.

GPOs can be used to effectively control the registry on machines and for users.  If you control the registry, you basically control the machines configuration.  

GPOs can be used to deploy software also

1. GPOs are deployed through active directory which requires a Doamin Controller
2. GPOs only deploy to domain members.  They will not deploy to members of other domains within a tree.
3. open active directory users and computers.
4. create an OU by Right mouse clicking the container where you want the OU to reside, then select new...Organizational Unit
5. then Right Mouse click the OU and select Properties
6. select the Group policy tab
7. Click New...and name the GPO
8. select EDIT

Computer Configuration and User Configuration basically do the same things EXCEPT The fromer requires a reboot and applies to the machine regardless of who's logged into it.  The latter requies a logon after the policy has been deployed and it applies the the logged in user regardless of whic machine they are using.

Software Configuration is for deploying packaged applications...if you deploy the package in the Computer Configuration, the software will be installed when any of the machines in the OU is rebooted

Under Windows settings is a Scripts object...this can be use to assign startup and shutdown scripts to machines and logo/logoff scripts to users.

Administrative templates are basically user friendly ways to control the registry.  

If the particular item you wish to edit is not in the template, you can actually write your own template file and import it.  This effectively allows you to deploy registry settings campus wide without having to touch the client machines.

I have successfully deployed GPOs at numerous companies and they are...with out a doubt, the most important administrative tool added to Windows 2000.

Remember that GPOs are applied in layers..the last one applied always wins...there is a way to prevent this but it is not normally needed.

Hope this helps

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

check the following, which may help you understand it:
seanselmanAuthor Commented:
Ok, I got the policies to work if the user is inside the OU.  But wouldn't it be easier to maintain the user list if all of the users were in the user directory under the root and only groups were added to the OU?

We are trying to do it this way to ease administration of users but the Policy does not appear to be getting applied to the member of the group if only the group is within the OU.
Well, the OU will conflict if a user is in more than one group at the same time (which OU will then apply?). Thus I'd not take the group way, except if you design the OU structure so that it doesn't create conflicts.
rcasteel is right, BUT there is one drawback in OUs which I think MS could have done better: the OUs cannot be used like groups in the ACLs.
seanselmanAuthor Commented:
This seams like it is making user administration a nightmare....

Say I have a company of 1000 users, 40 different offices, and 5 different departments within those offices.  All administration is performed at one location.  The boss calls up and says that Joe Blow quit.  Now I need to look through 200 OUs to find where that user is to delete him!  I know you do an add member and find which "directory" the user is in but this still appears to be a hugh design flaw on the side of MS.

Would it not be easier to maintain all users in a single location and have two different types of groups (one for file permissions and another for policies)???
You have the GC (Global Catalog) for such stuff. I't not harrd to locate items inside the AD. I'd rather say that the design flaw is the difference made between OUs and Groups.
All Courses

From novice to tech pro — start learning today.