Group Policy


I have an active directory network at work, and im configuring some network group policies and I have a few questions.

lets assume thats I have a bunch of acounts in the domain users group
some of them are placed in an addictional group called 'employees'
the others are in a group called 'volunteers'

the domain users group is the primary group.

I have a group policy for the domain users (domian users only not authenticated users). and I want to set up and additional policy for the accounts on 'employees'

if I leave some of the options as-is e.g. 'not configured' in the employees policy, will the domain users policy overwite those settings?
also if there are some options configurred in the employees policy that are also configured in the domain users policy, which settings are used?


Who is Participating?
dutchclanConnect With a Mentor Commented:
Dear binks.

if i read your question correctly u have a little trouble with how to get it all in place, let me tip u on the way.. U still have to set them yourself im afraid ;)

Normaly we will set a "general" policy for all users on the main OU, things like the browser standard home url ec.

Then on one of the sub OU`s we put the more specific policies ,for u can emagine that a guest for instance has less privaliges then the emplyees. It would look something like this.

BASE (OU) -> Domain policies for all users.
    |-Employees (OU)-> Employees specific policies
    |        |
    |        |--Department (OU) -> Department specific policies
    |        |       |
    |        |       |-->(Department_group GR)
    |        |       |-->Single users (OU)
    |        |       |           |->some user ( U )
    |-Guest (OU)-> Guest near closed policies
    |        |
    |        |--Department -> Department specific policies
    |        |       |
    |        |       |-->(Guest_group GR)
    |        |       |-->Single users(OU)
    |        |       |           |->some user

This way u are quite able to precicly state all the rights per group. All parrent policies inherited in all sub policies.

U acces the policie tablet by richt clicking the "right"  (OU) "Orginisational Unit" or folder and selecting the tab policies. There u create a "new" one, once created u can edit these and select the wanted policies / OU

Tip: determin wich rights count as network wide policies, and determin wich count as department specific and write them down.

Please DO keep track of wich policies are where assigned to pare allot of trouble in the future!

Gl. Chris Gralike
dr_binksAuthor Commented:
I use this GPO tool on the PDC:

can I create sub policies and such using that tool? or do I require another one?

The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Dear Binks.

Im not familiar with this tool you address. But i do know this, hopes it helps in disigning the policies.

1. The first problem i encountered was combining the Group Policies and struct, with the way the rights where placed in the AD tree. As you state u dont want to apply certain policies on all the "standard" accounts in the basic "Users" OU.

We redisigned the rights tree to effectivly apply group policies on this tree top down meaning,

1e selection. Is it a application specific right, or an user informational right? we thought this might be an important issue so we created 2 OU groups

informational_rights OU (and placed a company wide policy over here, so admin ec are not affected)
Application_richts OU (Placed no policies over this container for in only contains groups)

2e Selection. Where do we put the accounts? so we dont loos track. Knowing that the departments use different information stores on the network we placed them in the informational tree.

Informational_rights -> Departments ( [ policy / department ] I think this is what is reffered to as sub_policy)

and so on.

I know that its not wise to set policies on the root, and im not sure how and where the tool sets them. I do know that your AD tree disign can make it allot easier for u to put these policies in place. Only it wont be a slight job...

and to get back on your question.

Its easier to use the "active directory and users" tool.
Select the required OU
Right click it.
Select the Group Policy tab
and create a new policy and edit it to finetune it.

anyway, this is the only way im sure that the policies are set right top down. ( i just need the feel that the settings are correct, and reffert to using tools. this way i can determin more effectivly where problems might come from.. )

Gl. Chris Gralike

Here is an example

Hope it helps
dr_binksAuthor Commented:
that image does help a bit.. it tells me that I dont have any of that in the "active directory and users" tool, lol.

all I have are the basics: builin, computers, domain controllers, foreignsecurity principles and users.

im assuming thats because all I have is win2k3 _standard_ edition?

it doesnt matter, as long as u have a mmc with active directory management services on a client, or u are behind the server managing the active directory. All the OU (containers) SG (security groups) U (users) have to be created and managed by the administrator (i guess thats u in this case). And as u might be able to see this tree serves two functions, 1 keeping a clear insight in the network, 2 simplyfieing the rights structure on the file system and 3. Creating a logical construct for distributing policies.

A clear active directory spares allot of time for sure, but its also easier to add correctly in case of new users, new groups, new policies.

Also im affraid that i can only show u how it could be done, but in the end its still u that has to apply these changes.

hope it helped

regards, Chris Gralike
dr_binksAuthor Commented:
do you know why wouldnt I have things like 'information rights' in the active direcotry users and groups MMC?
dr_binksAuthor Commented:
never mind I found out the reason, I have to turn advanced options on an then add organizational units.


All Courses

From novice to tech pro — start learning today.