Solved

How can group policy be applied to groups of computers

Posted on 2004-09-01
13
208 Views
Last Modified: 2010-04-14
We currently have around 2200 machines running Windows 2000 on a Server 2000 network, and have been trying to get computers divided into groups so that some startup scripts can be run on them based on their locations.  At the moment it is not an option to divide the computers into separate OUs as each computer will probably want to be in more than one group.

The basic questions that I am trying to get answered are, can you apply group policy to a group of computers and if so how?
0
Comment
Question by:jhutch2000
  • 5
  • 4
13 Comments
 

Assisted Solution

by:inlinemike
inlinemike earned 50 total points
ID: 11952213
If you had a 2003 server as a DC this would be alot easier.  It can be done through ACLs though.  It gets really tricky trying to troubleshoot and RSoP will become your best friend.  But if you want to look at how its done:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/filtering_the_scope_of_a_gpo.asp

With at least one 2003 DC you can fully use the WMI filters found here:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/dmebb_gpu_yxso.asp


I'd also recommend the Group Policy Management Console if you aren't currently using it.  It will streamline alot of the GPO functions into a single UI.  It takes some getting used to but I think you'll find its a lot easier to use than the standard mmc snap ins.

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
0
 
LVL 18

Accepted Solution

by:
JConchie earned 50 total points
ID: 11953231
Actually, it ain't that hard....if you want to apply policy based on location, segment your network into different sites.....add individual machines to the necessary site....and apply policy at the site level.
0
 

Author Comment

by:jhutch2000
ID: 11953599
At the moment using a 2003 computer isn't really an option, which is unfortunate is it seems that would be the answer so we wont rule it out for now.

However regarding the ACL it's possible that I am adding the wrong thing, to me it seems the most effective thing to add would be the group itself and give it read and apply group policy settings.  However this doesn't work.  The RSop tells me that the GP is not being applied to the group and I can't see why.  Any idea what would be best to add to the ACL?
I've tried adding the domain computers group.
0
 

Author Comment

by:jhutch2000
ID: 11961160
It looks like we're going to hold of on this and then try again to see if 2003 is any better, as under 2000 you can't apply a group policy to a security group, you can only use it to restrict the membership.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 12475690
The original question, as asked, was answered.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jhutch2000
ID: 12475754
Your answer wasn'taccepted because of the number of different sites this would require setting up.  Which is also why the origional said that the PCs shouldn't be moved to apply it.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 12476164
That you don't like the answer does not negate the validity of it.  You asked how to organize Active Directory so that you could apply group policy to machines based on location.  That you don't like the amount of work involved is something you may want to discuss with Microsoft.....but I did tell you how to do it within the limitations of Windows 2000 Active Directory.

"Which is also why the origional said that the PCs shouldn't be moved to apply it."   You are completely misunderstanding the system.  You don't have to move the PCs anywhere....and they don't have to be in the same geographic location to be in the same OU or Site.  Both OUs and Sites are simply administrative units which exist only for the convienece of the Network administrator.

You also appear to be confusing OUs and Sites, which are administrative units to which group policy can be applied........with security groups.....which are only used for setting permissions on a resourse, such as a printer, a folder or an individual file.   That distinction does not change from windows 2000 to windows 2003.  I suggest you get a basic understanding of Active Directory and Group Policy (many good books and classes out there) and all of this will be much easier for you to understand how to configure things.  Group Policy, in both windows 2000 and Windows 2003 will do exactly what you said you wanted it to do in your original question.....if you understand the concepts.

0
 

Author Comment

by:jhutch2000
ID: 12476256
So if I didn't understand it how can I accept the answer based on the level of information you gave.  You gave no examples, suggestions or links to any sites that could supply further information.  You simply explained it for someone who already knows how to do it.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 12476349
Look, I'm not going to argue any further with you...you asked a specific question about AD...I answered it.  The fact that you are trying to use a complex tool like AD without having even a basic understanding of how it works was not something that was immediately obvious from your question.  

If you don't understand something or needed more information, you could have asked for it....instead of abandoning the question.....and it would have been gladly given.....but we are not mind readers.

Here's my last piece of advice for you......you would'nt try to use a complex machine without an understanding of what it does....and how it does it......why would you approach AD any differently.....please educate yourself....then if you need help, at least you will be know what the people who are trying to help you are saying.

ee_ai:  as I said, asked and answered.

0
 

Author Comment

by:jhutch2000
ID: 12476745
The question was abonded because the project this involved was binned not because your answer was no understood.  Undoubtably you could have provided an answer had there been more time available, however there wasn't and given that this was not looked into further your answer was not suitable.
No doubt had I know more about AD I would not have need to ask the question.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now