Group Policy & OU's

I have been tasked to setup group policy on our domin - this includes putting users into orgnizational units.  This will handle the following departments:

* Accounting
- Administration
- Consumer Services
- Employee Claims
- Finance
- Fraud
- Human Resources
- Information Systems
- Legal
- License
- Life & Health
- Liquidation
- Mail Room
- Property Casualty

I don't think it will be necessary to make an organizational unit for each department, it would probably be overkill.  Please give me any suggestions you can on setting up the OUs.

This group policy is going to correct the following problems:

- Ensure the screensaver is password protected.
- Ensure a warning banner is displayed when the user logs in.
- Ensure windows updates are set to download and install from windows update.
- Set a list of restricted sites in IE.

Can you help me find these?  I know where some are, but not all - such as the windows updates option.

Thank you so much for your help. :)


Who is Participating?
If I were you I would create an OU called "Domain Users" and Assign it a Group Policy...I would then create OUs for all the other departments (because you never know what special policies a certain department needs). By using this structure all your "sub"-OUs inherit the policies of the parent OU.

You should set these Policies under Computer Configuration (make sure that you have the PCs in one of these OUs)
-Windows Update = Administrative Templates --> Windows Components --> Windows Update --> Configure Automatic Updates
-Banner = Windows Settings --> Security settings --> Local Settings --> Security Options --> Interactive Logon: Message text for users attempting to logon

You should set these Policies under User Configuration:
-Block Websites = Windows Settings --> Internet Explorer Mainenance --> Security --> Security Zones and Content Rating --> Click Import the current security zones and privacy settings --> (configure your sites here in the appropraite zones)
- Screen Saver = Administrative Template --> Control Panel --> Display --> Password Protect the Screen Saver

I tend to like to setup my AD like this:

Accounting OU
   Accounting Users OU
   Accounting Computers OU

But it really is a matter of personal preference and what fits better for your situation. I tend to find I implement a lot more specialized user policies (those under user config) so it makes it easier if my users are divided up by department/group.

I don't think it would be overkill to divide things up by department. Its always nice to have a clear and easy view of your AD structure even for simple things as finding users, etc.
I agree that it is nice to have it clear and easy, but what if you need to assign a specific group policy to the Users in "Mail room"... but if they all require one policy then I agree that there should only be 1 - 2 OUs
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

brooksreeseAuthor Commented:
Great advice guys, thank you. :)  I have one more question before I close this message...  Is there any way for me to ensure that anti-virus software or anti-spyware software is installed on the machine the user is using?

You can add your antivirus software in a group policy so that when the computer is rebooted it will install the software if it is needed (the same with anti-spyware). You will have to create an MSI file. Here is an article that will explain it to you:;en-us;257718
one other thing.... You should add it as a Computer Policy instead of a user to ensure that all the computers have it
brooksreeseAuthor Commented:
All of this advice is great - I wish I had more points to give you to guys. :)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.