Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

When building group policys.....

Hi Guys,

i'm looking to add some group policys to lock down client machines, and try and prolong the "breaking" process. Anyway, i'm a little unclear about how group policys work, and was hoping for some explanations.

I have 50 users in the company, and each user has their own machine. I have put all the users that i want to be locked down in there own OU, but i haven't put all their computers in there own OU? should i do this?

also, when i go to edit the policy, it's split into 2 section, "computer configuration" and "user configuration". which one do i need to use? and should i assign these policys the my group of users, or to their machines?

sorry if it seems like a really stupid question.

Thanks, Gavin
0
Gavin5511
Asked:
Gavin5511
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
Debsyl99Commented:
Hi Gavin5511,
Generally you build an active directory structure to best meet your needs in terms of your company structure. I generally have an OU for each geographical office - with this divided into sub OU's for users and computers. User configuration appliess to users - computer configuration applies to computers. You're right in so far that your computers will also need to be in an OU with the computer policy attached - and permissions will need to be set for domain computers to read and apply the policy linked to that OU.

Deb :))
0
 
Debsyl99Commented:
Hi,
As you're running windows 2k3 server you can make use of the GPMC. What workstations are you running?
Group Policy Management Console (GPMC)
http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html

Deb :))
0
 
Jay_Jay70Commented:
Hi Gavin5511,

couldn't really put it any better than Deb has

by default the group policies will have the correct permissions to apply to users and computer depending which way you go.

as Deb said   user settings apply just to users and computer settings just to computers     this means that if you have a user and computer in the same OU, the policy looks after itself

remember last policy applied wins

LSDOU is the rule for policies

Local
Site
Domain
Organisational Unit

if you have an OU nested within an OU   the last applied wins

just a useful tip depending on your AD structure....
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Gavin5511Author Commented:
ok, so am i right in sayin, that if i want to add a policy to a computer (and for everyone that uses the computer) i would just touch the "computer configuration" in the computer OU?

what happens if i set a "user configuration" policy on an OU of computers? and vice versa?
0
 
Debsyl99Commented:
"ok, so am i right in sayin, that if i want to add a policy to a computer (and for everyone that uses the computer) i would just touch the "computer configuration" in the computer OU?" - Yes

"what happens if i set a "user configuration" policy on an OU of computers? and vice versa? "- Nothing - unless there are users also in that OU - in which case the user configuration policy will apply to them.

If you want a separate OU for users and another for computers - that's fine - you can just disable the unused computer or user configuration part of the policy as it prevents uneccessary policy processing. If you want to set one policy for one OU that appliess to bothe users and computers then you can do  that too. You just need to set both computer and user policies and ensure that the users and computers are all in that OU and both domain users and domain computers have read and apply group policy rights to that linked policy.
0
 
Jay_Jay70Commented:
for admin purposes i find it a lot easier to put computers and users in different OU's - this is just an personal opinion though
0
 
TheCleanerCommented:
Gavin5511,

Just to add to the advice already given, you can apply user configuration policies to a "computer OU" using loopback processing:  http://support.microsoft.com/?id=231287

This would be useful for instance in a classroom environment where you want a particular user config to happen for anyone that uses those particular computers.
0
 
TheCleanerCommented:
BTW, it sounds like you are basically confused between computer and user configs.

By default (negating loopback processing) you apply a GPO to an OU and let's say you set nothing but computer configuration changes.  Any (by default) computers in that OU and Sub-OUs will get those config changes.  Computer accounts NOT in that OU (either higher up in AD or in a separate OU at the same level) won't get those configuration changes.

Same for users and user configs.

Again, that's by default...

The different sections (computer and user) are based on who/what you want to manipulate.  Anything in the computer section takes place for that computer and anyone that logs on.  However, lots of the configuration options for a "user" aren't in the computer section, and vice versa.  You'll see this as you poke around in a test OU and test GPO.

Loopback processing allows you to have an OU of just computer accounts, but allow you to apply User config settings to it.  That's the non-default way and is really used in special circumstances like I've said above.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now