Solved

Best way to apply Group Policy

Posted on 2004-10-19
8
277 Views
Last Modified: 2010-04-14
I am deploying new machines and want to apply group policy to limit functionality.  In Active Directory 2000 is it better to group the new machines in an OU and apply the group policy to those machines or should i apply the policy to an OU of users?
0
Comment
Question by:GPEARL383
  • 4
  • 2
  • 2
8 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 12354853
I'd tend to recommend doing it by machine.  But remember, you can have MANY GPOs and assign them to computers and users seperately.  If you have a group of users that should get certain settings, apply to users.  If you have a group of machines then apply to machines.  It really depends on your config and requirements.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12356689
Hi
I'd say that planning is the key, and as you'll note there are policies that you may only wish to apply to users, particularly if they are logging in at different machines. Machines stay put, but it depends if your users do. (Mine don't - so I have separate machine ou's and user ou's - in a machine OU I disable application of the user part of the policy and vice versa.
In planning a new deployment I tend to meet with everyone involved, but particularly the management team, to decide on structure, users and who needs access to what and when. I tend to try group people and machines with common roles together where the access requirements are the same (so it mirrors the business structure - but consultation with users ie management is always essential). I also use the default domain policy as little as possible (ie account policy). I also make sure there's a firm acceptable use policy, and that everyone signs up to it (though you need management support), although my tendency is lock things down as much as is possible to start with. Users tend to be happier about you relaxing things if you need to, rather than tightening them up in response to them doing things you don't want them to do!

Some useful resources here.
Group Policy Learning Guide
http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci966312,00.html

Hope that helps,

Deb :))
0
 

Author Comment

by:GPEARL383
ID: 12357116
When trying to apply a policy to a group of machines the policy does not work or take effect.  When I apply the same policy to a group of users it works fine.  Why would this be?
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12357283
Hi

Depends on the policy setting - the policy needs to be in the computer configuration section to apply to machines, it needs to be enabled, and the machines need "read and apply group policy" rights on the gpo security settings,
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 12358049
Are your clients all XP?  XP clients won't apply certain policy settings unless a local policy setting is in effect that says to WAIT for the network before showing a login screen.

On a problem PC running XP, run "MMC /A" and add the "Group Policy" snap-in from the File Menu > Add/Remove Snap-ins menu option.  it should say "Local Computer Policy" in the window.  

Then verify that Computer Config/Admin. Templates/System/Logon has a setting "Always wait for the network at computer startup and logon" and that that setting is set to "Enabled"  Then reboot.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12358143
Hi
Yep - good point Leew  
If you are deploying xp pro machines, Useful tool for managing and enumerating group policy application - Needs to be run from an XP SP1 workstation with .net framework on it, and an admin logon for management - will work in a 2000 server based domain. Extremely useful - as it will tell you a lot more than running 2000 gpresult will,
Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Deb :))
0
 

Author Comment

by:GPEARL383
ID: 12371392
I am deploying XP machines and I do have GP management installed on my Xp local desktop. I am running 2000 AD.  I have some reservation about applying policies through my local XP PC.  Has anyone tried this in 2000 environment.  How does this work applying policies through a workstation with GP managemt on it?  Is it stable? are there problems that arise from doing this?
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 500 total points
ID: 12372644
Hi
Yes it's stable in my experience although it's still early days - the network I administer is 2000 server native mode, with a mixture of mainly 2000pro sp4 but some xp sp1 workstations. We're about to add a new site consisting of entirely xp pro so I've been planning group policy application to this site. . XP has different .adm files - so you need to use these in order to get the best out of xp and group policy. XP sp2 has updated adm files again to assist with managing the firewall amongst other things, although I'm waiting to deploy xp sp2 until I'm happy it's sufficiently patched etc. You do need to manage xp-based group policy from an xp client.
References:
Managing Windows XP in a Windows 2000 Server Environment
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx
Using Windows XP Professional with Service Pack 1 in a Managed Environment
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpmanaged/31_xpapc.mspx
How do I upgrade a Windows 2000 Active Directory Group Policy object (GPO) to support the new features in Windows XP?
http://www.jsiinc.com/SUBI/tip4200/rh4252.htm

Deb :))
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now