[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Windows 2000 Group Policies

Posted on 2001-06-13
10
Medium Priority
?
163 Views
Last Modified: 2012-05-04
I am new to Windows 2000 Active Directory Services.  I am currently trying to set up Group Policies for our organization.

There will be three groups:
  Administrators
  Internet Users
  NonInterner Users

I have not been able to find any "good" information on how to get this set up.  If someone could please give me a step by step answer on how to do this!

0
Comment
Question by:seanselman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6188303
I don't know how far you've already configured your stuff. Anyways, Group Policies can only be assigned to OU's (Organizational Unit). These represent the hierarchical structure of the Active Directory.

Easiest would be to create three OUs and to put the users in there.
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6189397
Here's the skinny on GPOs

They can be applied to LOCAL MACHINES, DOMAINS, SITES, and OUs

The LOCAL GPO is always applied first.  you should not change the local policy of a machine.  This allows you to unscrew-up a machine adter you screwed up a policy.  

The Site Policy is applied next
then the Domain Policy
Then OU Policies are applied in the order of the OU hierarchy.

GPOs can be used to effectively control the registry on machines and for users.  If you control the registry, you basically control the machines configuration.  

GPOs can be used to deploy software also

1. GPOs are deployed through active directory which requires a Doamin Controller
2. GPOs only deploy to domain members.  They will not deploy to members of other domains within a tree.
3. open active directory users and computers.
4. create an OU by Right mouse clicking the container where you want the OU to reside, then select new...Organizational Unit
5. then Right Mouse click the OU and select Properties
6. select the Group policy tab
7. Click New...and name the GPO
8. select EDIT

Computer Configuration and User Configuration basically do the same things EXCEPT The fromer requires a reboot and applies to the machine regardless of who's logged into it.  The latter requies a logon after the policy has been deployed and it applies the the logged in user regardless of whic machine they are using.

Software Configuration is for deploying packaged applications...if you deploy the package in the Computer Configuration, the software will be installed when any of the machines in the OU is rebooted

Under Windows settings is a Scripts object...this can be use to assign startup and shutdown scripts to machines and logo/logoff scripts to users.

Administrative templates are basically user friendly ways to control the registry.  

If the particular item you wish to edit is not in the template, you can actually write your own template file and import it.  This effectively allows you to deploy registry settings campus wide without having to touch the client machines.

I have successfully deployed GPOs at numerous companies and they are...with out a doubt, the most important administrative tool added to Windows 2000.

Remember that GPOs are applied in layers..the last one applied always wins...there is a way to prevent this but it is not normally needed.

Hope this helps


0
 
LVL 3

Expert Comment

by:huben
ID: 6189562
check the following, which may help you understand it:
http://support.microsoft.com/servicedesks/Webcasts/WC033000/WCBLURB033000.ASP
0
What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

 

Author Comment

by:seanselman
ID: 6191743
Ok, I got the policies to work if the user is inside the OU.  But wouldn't it be easier to maintain the user list if all of the users were in the user directory under the root and only groups were added to the OU?

We are trying to do it this way to ease administration of users but the Policy does not appear to be getting applied to the member of the group if only the group is within the OU.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6193328
Well, the OU will conflict if a user is in more than one group at the same time (which OU will then apply?). Thus I'd not take the group way, except if you design the OU structure so that it doesn't create conflicts.
0
 
LVL 3

Accepted Solution

by:
rcasteel earned 300 total points
ID: 6193664
OUs are actually used as the group.  Groups (Security Groups) are containers for assigning permissions to and grouping users together with common security requirements.  Security Groups are basically used for asigning common security IDs so they can be referred to in ACLs for resources such as files.  Contrary to popular belief, ACLs are NOT stored in active directory. ACLs are stored where ever the resouces that uses them is stored.  ACLs for files are stored with the file...

OUs are containers for delegating control and deploying software etc.  Basically you ARE putting the users in a group. The group just has to be an OU.

Since Groups reflect the security structure of your network, they aren't necessarily the best choice for representing the administrative structure of your network.  Since administrative needs are often different from the security needs, Microsoft uses OUs instead of groups.



0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6194372
rcasteel is right, BUT there is one drawback in OUs which I think MS could have done better: the OUs cannot be used like groups in the ACLs.
0
 

Author Comment

by:seanselman
ID: 6195186
This seams like it is making user administration a nightmare....

Say I have a company of 1000 users, 40 different offices, and 5 different departments within those offices.  All administration is performed at one location.  The boss calls up and says that Joe Blow quit.  Now I need to look through 200 OUs to find where that user is to delete him!  I know you do an add member and find which "directory" the user is in but this still appears to be a hugh design flaw on the side of MS.

Would it not be easier to maintain all users in a single location and have two different types of groups (one for file permissions and another for policies)???
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6195760
You have the GC (Global Catalog) for such stuff. I't not harrd to locate items inside the AD. I'd rather say that the design flaw is the difference made between OUs and Groups.
0
 
LVL 3

Expert Comment

by:rcasteel
ID: 6197039
simply open ACTIVE DIRECTORY USERS AND COMPUTERS and select FIND...
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question