?
Solved

Group Policy

Posted on 2005-03-20
9
Medium Priority
?
427 Views
Last Modified: 2010-04-10
Hi,

I have an active directory network at work, and im configuring some network group policies and I have a few questions.

lets assume thats I have a bunch of acounts in the domain users group
some of them are placed in an addictional group called 'employees'
the others are in a group called 'volunteers'

the domain users group is the primary group.

I have a group policy for the domain users (domian users only not authenticated users). and I want to set up and additional policy for the accounts on 'employees'

if I leave some of the options as-is e.g. 'not configured' in the employees policy, will the domain users policy overwite those settings?
also if there are some options configurred in the employees policy that are also configured in the domain users policy, which settings are used?

thanks

~Binks
0
Comment
Question by:dr_binks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 5

Accepted Solution

by:
dutchclan earned 750 total points
ID: 13589125
Dear binks.

if i read your question correctly u have a little trouble with how to get it all in place, let me tip u on the way.. U still have to set them yourself im afraid ;)

Normaly we will set a "general" policy for all users on the main OU, things like the browser standard home url ec.

Then on one of the sub OU`s we put the more specific policies ,for u can emagine that a guest for instance has less privaliges then the emplyees. It would look something like this.

BASE (OU) -> Domain policies for all users.
    |
    |
    |-Employees (OU)-> Employees specific policies
    |        |
    |        |--Department (OU) -> Department specific policies
    |        |       |
    |        |       |-->(Department_group GR)
    |        |       |-->Single users (OU)
    |        |       |           |->some user ( U )
    |
    |-Guest (OU)-> Guest near closed policies
    |        |
    |        |--Department -> Department specific policies
    |        |       |
    |        |       |-->(Guest_group GR)
    |        |       |-->Single users(OU)
    |        |       |           |->some user

This way u are quite able to precicly state all the rights per group. All parrent policies inherited in all sub policies.
       
0
 
LVL 5

Expert Comment

by:dutchclan
ID: 13589141
Ps.

U acces the policie tablet by richt clicking the "right"  (OU) "Orginisational Unit" or folder and selecting the tab policies. There u create a "new" one, once created u can edit these and select the wanted policies / OU

Tip: determin wich rights count as network wide policies, and determin wich count as department specific and write them down.

Please DO keep track of wich policies are where assigned to pare allot of trouble in the future!

Gl. Chris Gralike
0
 
LVL 5

Author Comment

by:dr_binks
ID: 13589267
I use this GPO tool on the PDC:
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

can I create sub policies and such using that tool? or do I require another one?

~Binks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:dutchclan
ID: 13589387
Dear Binks.

Im not familiar with this tool you address. But i do know this, hopes it helps in disigning the policies.

1. The first problem i encountered was combining the Group Policies and struct, with the way the rights where placed in the AD tree. As you state u dont want to apply certain policies on all the "standard" accounts in the basic "Users" OU.

We redisigned the rights tree to effectivly apply group policies on this tree top down meaning,

1e selection. Is it a application specific right, or an user informational right? we thought this might be an important issue so we created 2 OU groups

informational_rights OU (and placed a company wide policy over here, so admin ec are not affected)
Application_richts OU (Placed no policies over this container for in only contains groups)

2e Selection. Where do we put the accounts? so we dont loos track. Knowing that the departments use different information stores on the network we placed them in the informational tree.

Informational_rights -> Departments ( [ policy / department ] I think this is what is reffered to as sub_policy)

and so on.

I know that its not wise to set policies on the root, and im not sure how and where the tool sets them. I do know that your AD tree disign can make it allot easier for u to put these policies in place. Only it wont be a slight job...

and to get back on your question.

Its easier to use the "active directory and users" tool.
Select the required OU
Right click it.
Select the Group Policy tab
and create a new policy and edit it to finetune it.

anyway, this is the only way im sure that the policies are set right top down. ( i just need the feel that the settings are correct, and reffert to using tools. this way i can determin more effectivly where problems might come from.. )

Gl. Chris Gralike

0
 
LVL 5

Expert Comment

by:dutchclan
ID: 13589420
Here is an example

http://downloads.dutchclan.nl/AD.gif

Hope it helps
0
 
LVL 5

Author Comment

by:dr_binks
ID: 13589779
that image does help a bit.. it tells me that I dont have any of that in the "active directory and users" tool, lol.

all I have are the basics: builin, computers, domain controllers, foreignsecurity principles and users.

im assuming thats because all I have is win2k3 _standard_ edition?

~Binks
0
 
LVL 5

Expert Comment

by:dutchclan
ID: 13589873
it doesnt matter, as long as u have a mmc with active directory management services on a client, or u are behind the server managing the active directory. All the OU (containers) SG (security groups) U (users) have to be created and managed by the administrator (i guess thats u in this case). And as u might be able to see this tree serves two functions, 1 keeping a clear insight in the network, 2 simplyfieing the rights structure on the file system and 3. Creating a logical construct for distributing policies.

A clear active directory spares allot of time for sure, but its also easier to add correctly in case of new users, new groups, new policies.

Also im affraid that i can only show u how it could be done, but in the end its still u that has to apply these changes.

hope it helped

regards, Chris Gralike
0
 
LVL 5

Author Comment

by:dr_binks
ID: 13590417
do you know why wouldnt I have things like 'information rights' in the active direcotry users and groups MMC?
0
 
LVL 5

Author Comment

by:dr_binks
ID: 13590742
never mind I found out the reason, I have to turn advanced options on an then add organizational units.

cheers

0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question