[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Windows 2000 Group Policies

Posted on 2001-06-13
Medium Priority
Last Modified: 2012-05-04
I am new to Windows 2000 Active Directory Services.  I am currently trying to set up Group Policies for our organization.

There will be three groups:
  Internet Users
  NonInterner Users

I have not been able to find any "good" information on how to get this set up.  If someone could please give me a step by step answer on how to do this!

Question by:seanselman
  • 4
  • 3
  • 2
  • +1
LVL 14

Expert Comment

ID: 6188303
I don't know how far you've already configured your stuff. Anyways, Group Policies can only be assigned to OU's (Organizational Unit). These represent the hierarchical structure of the Active Directory.

Easiest would be to create three OUs and to put the users in there.

Expert Comment

ID: 6189397
Here's the skinny on GPOs

They can be applied to LOCAL MACHINES, DOMAINS, SITES, and OUs

The LOCAL GPO is always applied first.  you should not change the local policy of a machine.  This allows you to unscrew-up a machine adter you screwed up a policy.  

The Site Policy is applied next
then the Domain Policy
Then OU Policies are applied in the order of the OU hierarchy.

GPOs can be used to effectively control the registry on machines and for users.  If you control the registry, you basically control the machines configuration.  

GPOs can be used to deploy software also

1. GPOs are deployed through active directory which requires a Doamin Controller
2. GPOs only deploy to domain members.  They will not deploy to members of other domains within a tree.
3. open active directory users and computers.
4. create an OU by Right mouse clicking the container where you want the OU to reside, then select new...Organizational Unit
5. then Right Mouse click the OU and select Properties
6. select the Group policy tab
7. Click New...and name the GPO
8. select EDIT

Computer Configuration and User Configuration basically do the same things EXCEPT The fromer requires a reboot and applies to the machine regardless of who's logged into it.  The latter requies a logon after the policy has been deployed and it applies the the logged in user regardless of whic machine they are using.

Software Configuration is for deploying packaged applications...if you deploy the package in the Computer Configuration, the software will be installed when any of the machines in the OU is rebooted

Under Windows settings is a Scripts object...this can be use to assign startup and shutdown scripts to machines and logo/logoff scripts to users.

Administrative templates are basically user friendly ways to control the registry.  

If the particular item you wish to edit is not in the template, you can actually write your own template file and import it.  This effectively allows you to deploy registry settings campus wide without having to touch the client machines.

I have successfully deployed GPOs at numerous companies and they are...with out a doubt, the most important administrative tool added to Windows 2000.

Remember that GPOs are applied in layers..the last one applied always wins...there is a way to prevent this but it is not normally needed.

Hope this helps


Expert Comment

ID: 6189562
check the following, which may help you understand it:
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.


Author Comment

ID: 6191743
Ok, I got the policies to work if the user is inside the OU.  But wouldn't it be easier to maintain the user list if all of the users were in the user directory under the root and only groups were added to the OU?

We are trying to do it this way to ease administration of users but the Policy does not appear to be getting applied to the member of the group if only the group is within the OU.
LVL 14

Expert Comment

ID: 6193328
Well, the OU will conflict if a user is in more than one group at the same time (which OU will then apply?). Thus I'd not take the group way, except if you design the OU structure so that it doesn't create conflicts.

Accepted Solution

rcasteel earned 300 total points
ID: 6193664
OUs are actually used as the group.  Groups (Security Groups) are containers for assigning permissions to and grouping users together with common security requirements.  Security Groups are basically used for asigning common security IDs so they can be referred to in ACLs for resources such as files.  Contrary to popular belief, ACLs are NOT stored in active directory. ACLs are stored where ever the resouces that uses them is stored.  ACLs for files are stored with the file...

OUs are containers for delegating control and deploying software etc.  Basically you ARE putting the users in a group. The group just has to be an OU.

Since Groups reflect the security structure of your network, they aren't necessarily the best choice for representing the administrative structure of your network.  Since administrative needs are often different from the security needs, Microsoft uses OUs instead of groups.

LVL 14

Expert Comment

ID: 6194372
rcasteel is right, BUT there is one drawback in OUs which I think MS could have done better: the OUs cannot be used like groups in the ACLs.

Author Comment

ID: 6195186
This seams like it is making user administration a nightmare....

Say I have a company of 1000 users, 40 different offices, and 5 different departments within those offices.  All administration is performed at one location.  The boss calls up and says that Joe Blow quit.  Now I need to look through 200 OUs to find where that user is to delete him!  I know you do an add member and find which "directory" the user is in but this still appears to be a hugh design flaw on the side of MS.

Would it not be easier to maintain all users in a single location and have two different types of groups (one for file permissions and another for policies)???
LVL 14

Expert Comment

ID: 6195760
You have the GC (Global Catalog) for such stuff. I't not harrd to locate items inside the AD. I'd rather say that the design flaw is the difference made between OUs and Groups.

Expert Comment

ID: 6197039

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Currently, there is an issue with being able to copy values from an external application to a dropdown list in Project Web Access (PWA).  The standard copy and paste methods don't seem to work properly. Here is a way to accomplish this task to s…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question