Group Policy & OU's

Posted on 2005-05-16
Last Modified: 2010-04-14
I have been tasked to setup group policy on our domin - this includes putting users into orgnizational units.  This will handle the following departments:

* Accounting
- Administration
- Consumer Services
- Employee Claims
- Finance
- Fraud
- Human Resources
- Information Systems
- Legal
- License
- Life & Health
- Liquidation
- Mail Room
- Property Casualty

I don't think it will be necessary to make an organizational unit for each department, it would probably be overkill.  Please give me any suggestions you can on setting up the OUs.

This group policy is going to correct the following problems:

- Ensure the screensaver is password protected.
- Ensure a warning banner is displayed when the user logs in.
- Ensure windows updates are set to download and install from windows update.
- Set a list of restricted sites in IE.

Can you help me find these?  I know where some are, but not all - such as the windows updates option.

Thank you so much for your help. :)


Question by:brooksreese
    LVL 3

    Accepted Solution

    If I were you I would create an OU called "Domain Users" and Assign it a Group Policy...I would then create OUs for all the other departments (because you never know what special policies a certain department needs). By using this structure all your "sub"-OUs inherit the policies of the parent OU.

    You should set these Policies under Computer Configuration (make sure that you have the PCs in one of these OUs)
    -Windows Update = Administrative Templates --> Windows Components --> Windows Update --> Configure Automatic Updates
    -Banner = Windows Settings --> Security settings --> Local Settings --> Security Options --> Interactive Logon: Message text for users attempting to logon

    You should set these Policies under User Configuration:
    -Block Websites = Windows Settings --> Internet Explorer Mainenance --> Security --> Security Zones and Content Rating --> Click Import the current security zones and privacy settings --> (configure your sites here in the appropraite zones)
    - Screen Saver = Administrative Template --> Control Panel --> Display --> Password Protect the Screen Saver

    LVL 18

    Assisted Solution

    I tend to like to setup my AD like this:

    Accounting OU
       Accounting Users OU
       Accounting Computers OU

    But it really is a matter of personal preference and what fits better for your situation. I tend to find I implement a lot more specialized user policies (those under user config) so it makes it easier if my users are divided up by department/group.

    I don't think it would be overkill to divide things up by department. Its always nice to have a clear and easy view of your AD structure even for simple things as finding users, etc.
    LVL 3

    Expert Comment

    I agree that it is nice to have it clear and easy, but what if you need to assign a specific group policy to the Users in "Mail room"... but if they all require one policy then I agree that there should only be 1 - 2 OUs
    LVL 1

    Author Comment

    Great advice guys, thank you. :)  I have one more question before I close this message...  Is there any way for me to ensure that anti-virus software or anti-spyware software is installed on the machine the user is using?

    LVL 3

    Expert Comment

    You can add your antivirus software in a group policy so that when the computer is rebooted it will install the software if it is needed (the same with anti-spyware). You will have to create an MSI file. Here is an article that will explain it to you:;en-us;257718
    LVL 3

    Expert Comment

    one other thing.... You should add it as a Computer Policy instead of a user to ensure that all the computers have it
    LVL 1

    Author Comment

    All of this advice is great - I wish I had more points to give you to guys. :)


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Making a spare domain pc 12 317
    Migrate Windows NT to Windows 2003 2 484
    Domain dunctional level. 4 304
    Windows Foriegn Disk 3 123
    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now