exdos
asked on
how do i apply a policy to users in different ou's?
We have had gpo's that are setup to work with a network mangement piece of software that we purchased 5 6 years ago.
Most of the site has the network management software installed. We recently purchased 30 new xp pro machines that i have created gpo's so that we do not need to install the network management software on. My only issue now is that how can i have the new policy apply if the users that will from time to time use the new machines. The users are currently in different ou's based on the group they fall in.
There is currently a ou for users and one for workstations.
I have created a new users ou and workstation ou in which i had added the new pc's.
Eventually after fine tuning the policy i intend to move away from the network management software.
Most of the site has the network management software installed. We recently purchased 30 new xp pro machines that i have created gpo's so that we do not need to install the network management software on. My only issue now is that how can i have the new policy apply if the users that will from time to time use the new machines. The users are currently in different ou's based on the group they fall in.
There is currently a ou for users and one for workstations.
I have created a new users ou and workstation ou in which i had added the new pc's.
Eventually after fine tuning the policy i intend to move away from the network management software.
ASKER
"The users are currently in different ou's based on the group they fall in"
yes gpmc is a very useful tool! i have it installed and use it alot due to the way it simplifies policy management.
yes gpmc is a very useful tool! i have it installed and use it alot due to the way it simplifies policy management.
You have a couple options here.
IF the GPO is applied at a Computer level (i.e. setup under Computer Configuration)
1. Link the GPO to the OU that the computers reside in (a GPO can be linked to more than 1 OU)
2. Link the GPO to the root of the domain then use Global Security Groups to filter the GPO (add the comptuer that need the GPO to a Security Group and remove Authenticated users from the GPO and add that security group)
IF the GPO is applied at a User Level
1. Link the GPO to the OUs the users are in.
If the GPO only applies to some users in an OU
1. Link the GPO to that OU (or to the root of the doman) then setup a security group, add the users that need the policy, apply that group to the GPO and remove Authenticated users. Give the new group applied Read and Apply permissions.
IF the GPO is applied at a Computer level (i.e. setup under Computer Configuration)
1. Link the GPO to the OU that the computers reside in (a GPO can be linked to more than 1 OU)
2. Link the GPO to the root of the domain then use Global Security Groups to filter the GPO (add the comptuer that need the GPO to a Security Group and remove Authenticated users from the GPO and add that security group)
IF the GPO is applied at a User Level
1. Link the GPO to the OUs the users are in.
If the GPO only applies to some users in an OU
1. Link the GPO to that OU (or to the root of the doman) then setup a security group, add the users that need the policy, apply that group to the GPO and remove Authenticated users. Give the new group applied Read and Apply permissions.
ASKER
thanks for the reply
the gpo is applied at user level
if i link the GPO to the OU's the users are in will that not conflict with the GPO that is already linked.
Just to explain once agian (i think i may not have explained it correctly)
curreny setup is
we have a OU called c USERS
in this ou are 3 other OUs
staff
support
admin
Each have a policy assigned to it
we also have a ou for all current workstations. All the pc's with the client version of the network management are in this OU and have GPO applied to it.
I have created a new OU
USERS 2006
i have created a GPO for this OU and linked it (lockdown the pc to prevent access to system settings etc)
I have created a new OU
Clients
i have added the 30 new pcs and also created a GPo and linked it here. (this will allow WSUS updates)
The users move around on a daily basis so unless i manually get a list of the users that will use the rooms with the 30 new pc's and move them from the support OU to the USERS 2006 OU they will not get the new GPO i created.
I hope i have made this a little more clearer
nksthab
thanks
the gpo is applied at user level
if i link the GPO to the OU's the users are in will that not conflict with the GPO that is already linked.
Just to explain once agian (i think i may not have explained it correctly)
curreny setup is
we have a OU called c USERS
in this ou are 3 other OUs
staff
support
admin
Each have a policy assigned to it
we also have a ou for all current workstations. All the pc's with the client version of the network management are in this OU and have GPO applied to it.
I have created a new OU
USERS 2006
i have created a GPO for this OU and linked it (lockdown the pc to prevent access to system settings etc)
I have created a new OU
Clients
i have added the 30 new pcs and also created a GPo and linked it here. (this will allow WSUS updates)
The users move around on a daily basis so unless i manually get a list of the users that will use the rooms with the 30 new pc's and move them from the support OU to the USERS 2006 OU they will not get the new GPO i created.
I hope i have made this a little more clearer
nksthab
thanks
ASKER
nksthab ?
sorry
sorry
ASKER
solved it!
i have added the settings of the USERS 2006 gpo to the clients gpo. I then deleted the USERS 2006 gpo
I then used a feature called loopback policy in replace mode. This way the gpos meant for the user are totally ignored. (ideal for publis environments)
permission to have thread deleted please
many thanks for the suggests though
i have added the settings of the USERS 2006 gpo to the clients gpo. I then deleted the USERS 2006 gpo
I then used a feature called loopback policy in replace mode. This way the gpos meant for the user are totally ignored. (ideal for publis environments)
permission to have thread deleted please
many thanks for the suggests though
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should also install the Group Policy Management mmc tool, very helpful for working with lots of policies, however its toolset is lacking on a few things that would be helpful for administration.
Cheers,
Shoota