• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

Group Policy & OU's

I have been tasked to setup group policy on our domin - this includes putting users into orgnizational units.  This will handle the following departments:

* Accounting
- Administration
- Consumer Services
- Employee Claims
- Finance
- Fraud
- Human Resources
- Information Systems
- Legal
- License
- Life & Health
- Liquidation
- Mail Room
- Property Casualty

I don't think it will be necessary to make an organizational unit for each department, it would probably be overkill.  Please give me any suggestions you can on setting up the OUs.

This group policy is going to correct the following problems:

- Ensure the screensaver is password protected.
- Ensure a warning banner is displayed when the user logs in.
- Ensure windows updates are set to download and install from windows update.
- Set a list of restricted sites in IE.

Can you help me find these?  I know where some are, but not all - such as the windows updates option.

Thank you so much for your help. :)


  • 4
  • 2
2 Solutions
If I were you I would create an OU called "Domain Users" and Assign it a Group Policy...I would then create OUs for all the other departments (because you never know what special policies a certain department needs). By using this structure all your "sub"-OUs inherit the policies of the parent OU.

You should set these Policies under Computer Configuration (make sure that you have the PCs in one of these OUs)
-Windows Update = Administrative Templates --> Windows Components --> Windows Update --> Configure Automatic Updates
-Banner = Windows Settings --> Security settings --> Local Settings --> Security Options --> Interactive Logon: Message text for users attempting to logon

You should set these Policies under User Configuration:
-Block Websites = Windows Settings --> Internet Explorer Mainenance --> Security --> Security Zones and Content Rating --> Click Import the current security zones and privacy settings --> (configure your sites here in the appropraite zones)
- Screen Saver = Administrative Template --> Control Panel --> Display --> Password Protect the Screen Saver

I tend to like to setup my AD like this:

Accounting OU
   Accounting Users OU
   Accounting Computers OU

But it really is a matter of personal preference and what fits better for your situation. I tend to find I implement a lot more specialized user policies (those under user config) so it makes it easier if my users are divided up by department/group.

I don't think it would be overkill to divide things up by department. Its always nice to have a clear and easy view of your AD structure even for simple things as finding users, etc.
I agree that it is nice to have it clear and easy, but what if you need to assign a specific group policy to the Users in "Mail room"... but if they all require one policy then I agree that there should only be 1 - 2 OUs
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

brooksreeseAuthor Commented:
Great advice guys, thank you. :)  I have one more question before I close this message...  Is there any way for me to ensure that anti-virus software or anti-spyware software is installed on the machine the user is using?

You can add your antivirus software in a group policy so that when the computer is rebooted it will install the software if it is needed (the same with anti-spyware). You will have to create an MSI file. Here is an article that will explain it to you:

one other thing.... You should add it as a Computer Policy instead of a user to ensure that all the computers have it
brooksreeseAuthor Commented:
All of this advice is great - I wish I had more points to give you to guys. :)


Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now