Solved

Windows 2000 Group Policies

Posted on 2001-06-13
10
154 Views
Last Modified: 2012-05-04
I am new to Windows 2000 Active Directory Services.  I am currently trying to set up Group Policies for our organization.

There will be three groups:
  Administrators
  Internet Users
  NonInterner Users

I have not been able to find any "good" information on how to get this set up.  If someone could please give me a step by step answer on how to do this!

0
Comment
Question by:seanselman
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6188303
I don't know how far you've already configured your stuff. Anyways, Group Policies can only be assigned to OU's (Organizational Unit). These represent the hierarchical structure of the Active Directory.

Easiest would be to create three OUs and to put the users in there.
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6189397
Here's the skinny on GPOs

They can be applied to LOCAL MACHINES, DOMAINS, SITES, and OUs

The LOCAL GPO is always applied first.  you should not change the local policy of a machine.  This allows you to unscrew-up a machine adter you screwed up a policy.  

The Site Policy is applied next
then the Domain Policy
Then OU Policies are applied in the order of the OU hierarchy.

GPOs can be used to effectively control the registry on machines and for users.  If you control the registry, you basically control the machines configuration.  

GPOs can be used to deploy software also

1. GPOs are deployed through active directory which requires a Doamin Controller
2. GPOs only deploy to domain members.  They will not deploy to members of other domains within a tree.
3. open active directory users and computers.
4. create an OU by Right mouse clicking the container where you want the OU to reside, then select new...Organizational Unit
5. then Right Mouse click the OU and select Properties
6. select the Group policy tab
7. Click New...and name the GPO
8. select EDIT

Computer Configuration and User Configuration basically do the same things EXCEPT The fromer requires a reboot and applies to the machine regardless of who's logged into it.  The latter requies a logon after the policy has been deployed and it applies the the logged in user regardless of whic machine they are using.

Software Configuration is for deploying packaged applications...if you deploy the package in the Computer Configuration, the software will be installed when any of the machines in the OU is rebooted

Under Windows settings is a Scripts object...this can be use to assign startup and shutdown scripts to machines and logo/logoff scripts to users.

Administrative templates are basically user friendly ways to control the registry.  

If the particular item you wish to edit is not in the template, you can actually write your own template file and import it.  This effectively allows you to deploy registry settings campus wide without having to touch the client machines.

I have successfully deployed GPOs at numerous companies and they are...with out a doubt, the most important administrative tool added to Windows 2000.

Remember that GPOs are applied in layers..the last one applied always wins...there is a way to prevent this but it is not normally needed.

Hope this helps


0
 
LVL 3

Expert Comment

by:huben
ID: 6189562
check the following, which may help you understand it:
http://support.microsoft.com/servicedesks/Webcasts/WC033000/WCBLURB033000.ASP
0
 

Author Comment

by:seanselman
ID: 6191743
Ok, I got the policies to work if the user is inside the OU.  But wouldn't it be easier to maintain the user list if all of the users were in the user directory under the root and only groups were added to the OU?

We are trying to do it this way to ease administration of users but the Policy does not appear to be getting applied to the member of the group if only the group is within the OU.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6193328
Well, the OU will conflict if a user is in more than one group at the same time (which OU will then apply?). Thus I'd not take the group way, except if you design the OU structure so that it doesn't create conflicts.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Accepted Solution

by:
rcasteel earned 100 total points
ID: 6193664
OUs are actually used as the group.  Groups (Security Groups) are containers for assigning permissions to and grouping users together with common security requirements.  Security Groups are basically used for asigning common security IDs so they can be referred to in ACLs for resources such as files.  Contrary to popular belief, ACLs are NOT stored in active directory. ACLs are stored where ever the resouces that uses them is stored.  ACLs for files are stored with the file...

OUs are containers for delegating control and deploying software etc.  Basically you ARE putting the users in a group. The group just has to be an OU.

Since Groups reflect the security structure of your network, they aren't necessarily the best choice for representing the administrative structure of your network.  Since administrative needs are often different from the security needs, Microsoft uses OUs instead of groups.



0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6194372
rcasteel is right, BUT there is one drawback in OUs which I think MS could have done better: the OUs cannot be used like groups in the ACLs.
0
 

Author Comment

by:seanselman
ID: 6195186
This seams like it is making user administration a nightmare....

Say I have a company of 1000 users, 40 different offices, and 5 different departments within those offices.  All administration is performed at one location.  The boss calls up and says that Joe Blow quit.  Now I need to look through 200 OUs to find where that user is to delete him!  I know you do an add member and find which "directory" the user is in but this still appears to be a hugh design flaw on the side of MS.

Would it not be easier to maintain all users in a single location and have two different types of groups (one for file permissions and another for policies)???
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6195760
You have the GC (Global Catalog) for such stuff. I't not harrd to locate items inside the AD. I'd rather say that the design flaw is the difference made between OUs and Groups.
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6197039
simply open ACTIVE DIRECTORY USERS AND COMPUTERS and select FIND...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now