• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

Best way to apply Group Policy

I am deploying new machines and want to apply group policy to limit functionality.  In Active Directory 2000 is it better to group the new machines in an OU and apply the group policy to those machines or should i apply the policy to an OU of users?
0
GPEARL383
Asked:
GPEARL383
  • 4
  • 2
  • 2
1 Solution
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
I'd tend to recommend doing it by machine.  But remember, you can have MANY GPOs and assign them to computers and users seperately.  If you have a group of users that should get certain settings, apply to users.  If you have a group of machines then apply to machines.  It really depends on your config and requirements.
0
 
Debsyl99Commented:
Hi
I'd say that planning is the key, and as you'll note there are policies that you may only wish to apply to users, particularly if they are logging in at different machines. Machines stay put, but it depends if your users do. (Mine don't - so I have separate machine ou's and user ou's - in a machine OU I disable application of the user part of the policy and vice versa.
In planning a new deployment I tend to meet with everyone involved, but particularly the management team, to decide on structure, users and who needs access to what and when. I tend to try group people and machines with common roles together where the access requirements are the same (so it mirrors the business structure - but consultation with users ie management is always essential). I also use the default domain policy as little as possible (ie account policy). I also make sure there's a firm acceptable use policy, and that everyone signs up to it (though you need management support), although my tendency is lock things down as much as is possible to start with. Users tend to be happier about you relaxing things if you need to, rather than tightening them up in response to them doing things you don't want them to do!

Some useful resources here.
Group Policy Learning Guide
http://searchwin2000.techtarget.com/originalContent/0,289142,sid1_gci966312,00.html

Hope that helps,

Deb :))
0
 
GPEARL383Author Commented:
When trying to apply a policy to a group of machines the policy does not work or take effect.  When I apply the same policy to a group of users it works fine.  Why would this be?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Debsyl99Commented:
Hi

Depends on the policy setting - the policy needs to be in the computer configuration section to apply to machines, it needs to be enabled, and the machines need "read and apply group policy" rights on the gpo security settings,
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Are your clients all XP?  XP clients won't apply certain policy settings unless a local policy setting is in effect that says to WAIT for the network before showing a login screen.

On a problem PC running XP, run "MMC /A" and add the "Group Policy" snap-in from the File Menu > Add/Remove Snap-ins menu option.  it should say "Local Computer Policy" in the window.  

Then verify that Computer Config/Admin. Templates/System/Logon has a setting "Always wait for the network at computer startup and logon" and that that setting is set to "Enabled"  Then reboot.
0
 
Debsyl99Commented:
Hi
Yep - good point Leew  
If you are deploying xp pro machines, Useful tool for managing and enumerating group policy application - Needs to be run from an XP SP1 workstation with .net framework on it, and an admin logon for management - will work in a 2000 server based domain. Extremely useful - as it will tell you a lot more than running 2000 gpresult will,
Group Policy Management Console with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Deb :))
0
 
GPEARL383Author Commented:
I am deploying XP machines and I do have GP management installed on my Xp local desktop. I am running 2000 AD.  I have some reservation about applying policies through my local XP PC.  Has anyone tried this in 2000 environment.  How does this work applying policies through a workstation with GP managemt on it?  Is it stable? are there problems that arise from doing this?
0
 
Debsyl99Commented:
Hi
Yes it's stable in my experience although it's still early days - the network I administer is 2000 server native mode, with a mixture of mainly 2000pro sp4 but some xp sp1 workstations. We're about to add a new site consisting of entirely xp pro so I've been planning group policy application to this site. . XP has different .adm files - so you need to use these in order to get the best out of xp and group policy. XP sp2 has updated adm files again to assist with managing the firewall amongst other things, although I'm waiting to deploy xp sp2 until I'm happy it's sufficiently patched etc. You do need to manage xp-based group policy from an xp client.
References:
Managing Windows XP in a Windows 2000 Server Environment
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx
Using Windows XP Professional with Service Pack 1 in a Managed Environment
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpmanaged/31_xpapc.mspx
How do I upgrade a Windows 2000 Active Directory Group Policy object (GPO) to support the new features in Windows XP?
http://www.jsiinc.com/SUBI/tip4200/rh4252.htm

Deb :))
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now