jhutch2000
asked on
How can group policy be applied to groups of computers
We currently have around 2200 machines running Windows 2000 on a Server 2000 network, and have been trying to get computers divided into groups so that some startup scripts can be run on them based on their locations. At the moment it is not an option to divide the computers into separate OUs as each computer will probably want to be in more than one group.
The basic questions that I am trying to get answered are, can you apply group policy to a group of computers and if so how?
The basic questions that I am trying to get answered are, can you apply group policy to a group of computers and if so how?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It looks like we're going to hold of on this and then try again to see if 2003 is any better, as under 2000 you can't apply a group policy to a security group, you can only use it to restrict the membership.
The original question, as asked, was answered.
ASKER
Your answer wasn'taccepted because of the number of different sites this would require setting up. Which is also why the origional said that the PCs shouldn't be moved to apply it.
That you don't like the answer does not negate the validity of it. You asked how to organize Active Directory so that you could apply group policy to machines based on location. That you don't like the amount of work involved is something you may want to discuss with Microsoft.....but I did tell you how to do it within the limitations of Windows 2000 Active Directory.
"Which is also why the origional said that the PCs shouldn't be moved to apply it." You are completely misunderstanding the system. You don't have to move the PCs anywhere....and they don't have to be in the same geographic location to be in the same OU or Site. Both OUs and Sites are simply administrative units which exist only for the convienece of the Network administrator.
You also appear to be confusing OUs and Sites, which are administrative units to which group policy can be applied........with security groups.....which are only used for setting permissions on a resourse, such as a printer, a folder or an individual file. That distinction does not change from windows 2000 to windows 2003. I suggest you get a basic understanding of Active Directory and Group Policy (many good books and classes out there) and all of this will be much easier for you to understand how to configure things. Group Policy, in both windows 2000 and Windows 2003 will do exactly what you said you wanted it to do in your original question.....if you understand the concepts.
"Which is also why the origional said that the PCs shouldn't be moved to apply it." You are completely misunderstanding the system. You don't have to move the PCs anywhere....and they don't have to be in the same geographic location to be in the same OU or Site. Both OUs and Sites are simply administrative units which exist only for the convienece of the Network administrator.
You also appear to be confusing OUs and Sites, which are administrative units to which group policy can be applied........with security groups.....which are only used for setting permissions on a resourse, such as a printer, a folder or an individual file. That distinction does not change from windows 2000 to windows 2003. I suggest you get a basic understanding of Active Directory and Group Policy (many good books and classes out there) and all of this will be much easier for you to understand how to configure things. Group Policy, in both windows 2000 and Windows 2003 will do exactly what you said you wanted it to do in your original question.....if you understand the concepts.
ASKER
So if I didn't understand it how can I accept the answer based on the level of information you gave. You gave no examples, suggestions or links to any sites that could supply further information. You simply explained it for someone who already knows how to do it.
Look, I'm not going to argue any further with you...you asked a specific question about AD...I answered it. The fact that you are trying to use a complex tool like AD without having even a basic understanding of how it works was not something that was immediately obvious from your question.
If you don't understand something or needed more information, you could have asked for it....instead of abandoning the question.....and it would have been gladly given.....but we are not mind readers.
Here's my last piece of advice for you......you would'nt try to use a complex machine without an understanding of what it does....and how it does it......why would you approach AD any differently.....please educate yourself....then if you need help, at least you will be know what the people who are trying to help you are saying.
ee_ai: as I said, asked and answered.
If you don't understand something or needed more information, you could have asked for it....instead of abandoning the question.....and it would have been gladly given.....but we are not mind readers.
Here's my last piece of advice for you......you would'nt try to use a complex machine without an understanding of what it does....and how it does it......why would you approach AD any differently.....please educate yourself....then if you need help, at least you will be know what the people who are trying to help you are saying.
ee_ai: as I said, asked and answered.
ASKER
The question was abonded because the project this involved was binned not because your answer was no understood. Undoubtably you could have provided an answer had there been more time available, however there wasn't and given that this was not looked into further your answer was not suitable.
No doubt had I know more about AD I would not have need to ask the question.
No doubt had I know more about AD I would not have need to ask the question.
ASKER
However regarding the ACL it's possible that I am adding the wrong thing, to me it seems the most effective thing to add would be the group itself and give it read and apply group policy settings. However this doesn't work. The RSop tells me that the GP is not being applied to the group and I can't see why. Any idea what would be best to add to the ACL?
I've tried adding the domain computers group.