TITG
asked on
Help with GPOs
I migrated from SBS 2003 to 2k3 standard and separate exchange&etc old server is gone and all working one thing i haven't completed is GPO I only modified one of the GPOs for my documents redirection for everyone with the current server name instead of the older SBS name but there are bunch of GPOs not sure if they are even used or not Im not so familiar with GPO SBS got the management console to enable/disable stuff, push software install&etc it was handy is there is a software I can use to clean unused GPO, push software install, exclude the Administrator from users GPO&etc
ASKER
ok...i meant something easy to manager than the windows interface for GPOs : )
The group policy management console is what you want not just from the properties tab but the actual MMC snapin. You can also use the resultant set of policy snapin. These tools allow you to easily do what you want. You can view which policies are being used by which containers and also see which settings have been altered without having to go through each individual setting.
ASKER
Any screen shots or link for a start
Thank You
Thank You
If its not in Administrative tools already, open MMC and click Add then select Group Policy Management Console and/or RSoP. To open MMC simply type mmc into the RUN dialoge box from the start menu.
I found a good link with screen shots.
http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html
Good luck.
http://www.windowsecurity.com/articles/Group-Policy-Management-Console.html
Good luck.
If needs be, it can also be downloaded here - http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
You can also install this http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en (adminpak), and if you install both to your laptop/PC, you manage Active Directory and Group Policy from your own machine...
(of course, only if you don't already have these things... :)
Pete
You can also install this http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en (adminpak), and if you install both to your laptop/PC, you manage Active Directory and Group Policy from your own machine...
(of course, only if you don't already have these things... :)
Pete
ASKER
http://img213.imageshack.us/img213/1562/gpoqc7.jpg totally brain washed here...need opinion/help and would someone be patients please...Im understanding GPO concept and how simple it can make my day simple but if you guys can put me quick on track to get this taking care of I would really appreciate it so before when it we had SBS I doubled the polices over again because someone told me it I mess up I wouldnt want to mess up with the default policies& and I end up not using none of them : ). Im managing this from exchange since the DC is 64bit and GPO management console cant run it&so before I do anything& Im trying to exclude the main domain Administrator from any policies that is what it should be? There is a blue check mark on the right side why do I have that? Current default lock policy applies only to the Admins which is fine how can I apply it to the users? For XP SP3 instead of going to the user desktop or laptop how can I puch install from GPO?
You should generally not mess with the default policies. Instead create your own set of policies and apply then as you need to. If you don't want Administrator to be bound by policies you would need to move that user account out of the OU where the policy is applied. You create a new OU and place the users into that then apply the policy to the OU where all users are now located. To push XP SP3 you have a few options you either use WSUS server, create a software package and force install it using policies, or you could use a login script. The login script would take quite a bit of work and testing. The wsus option is by far the easiest if you have a large number of PC's to get to.
ASKER
Sorry guys& I Still need help with the current setup I got in the image above& how can I exclude Administrator from GPO and how can I make our copied policy the default policy to use instead of using the defaults
Your domain administrator account should be in the built-in 'Users' container, as no GPO will apply to this container... Or, if you have you domain admin (or even just normal admin accounts) in a separate OU, you can use the 'block inheritance' option within the GPMC to stop any policies from applying to that OU (unless they are applied directly to that OU).
I think what Net Worker was saying is that the default policies should be left in place - You can modify the settings of this policy (i.e. make changes to it like number of incorrect password attempts before lockout etc) but you shouldn't really ADD additional settings to it or remove settings from it. Then you apply separate GPOs to accomplish any other configuration changes you want to take effect.
Are you with me so far?
I think what Net Worker was saying is that the default policies should be left in place - You can modify the settings of this policy (i.e. make changes to it like number of incorrect password attempts before lockout etc) but you shouldn't really ADD additional settings to it or remove settings from it. Then you apply separate GPOs to accomplish any other configuration changes you want to take effect.
Are you with me so far?
For example, see the attached image of my AD layout... (all references to company name etc have been blanked out).
See the 2 containers I have highlighted in red. These are 2 of the built-in containers that are there in any AD implementation. Any containers (except OUs, which can be identified by the little 'AD book' symbol within the folder icon next to them) cannot have GPOs applied to them.
So any admin accounts can be placed within the Users container and will not have ANY GPO applied to them...
Let me know if you're following me or if I'm losing you anywhere in particular... :)
AD.jpg
See the 2 containers I have highlighted in red. These are 2 of the built-in containers that are there in any AD implementation. Any containers (except OUs, which can be identified by the little 'AD book' symbol within the folder icon next to them) cannot have GPOs applied to them.
So any admin accounts can be placed within the Users container and will not have ANY GPO applied to them...
Let me know if you're following me or if I'm losing you anywhere in particular... :)
AD.jpg
ASKER
Feel like total stupid in GPO stuff&from AD users and computers I right clicked on the domain, created a new OU, right clicked it properties, check on block policy inheritance and move my two users in it to exclude GPO on the OU that I created I still have the yellow book in it? Meaning GPO still applied?
No - that book just shows you that it's a particular type of container (called an OU) to which Group Policy CAN still apply...
If you have blocked inheritance (you can see this in the Group Policy Management Console - The OU should be marked with a blue exclamation mark) then no GPO will be INHERITED.
Remember, that blocking inheritance will not take effect on any OUs that have GPOs applied directly to them. So if you don't have any GPOs applied to that particular OU, then it won't inherit any either, meaning no GPO will be applied.
So in summary, what you've done will work (provided no GPO is applied directly to that OU!) :)
If you have blocked inheritance (you can see this in the Group Policy Management Console - The OU should be marked with a blue exclamation mark) then no GPO will be INHERITED.
Remember, that blocking inheritance will not take effect on any OUs that have GPOs applied directly to them. So if you don't have any GPOs applied to that particular OU, then it won't inherit any either, meaning no GPO will be applied.
So in summary, what you've done will work (provided no GPO is applied directly to that OU!) :)
ASKER
Okay... in group policy management when I click on the OU I just created on the right side under group policy inheritance I got two GPO one small business folder redirection (I need it for the users) but not the OU I created and default domain policy how can I remove them from this OU? I linked an image too
ASKER
sorry here
GPO.jpg
GPO.jpg
The reason for these 2 GPOs still being applied is because they are 'enforced' GPOs. Enforced GPOs override the block inheritance option.
You would need to 'un-enforce' these 2 GPOs to stop them from over riding the block inheritance flag.
(the main reason for using enforced GPOs is to ensure that the GPOs which are enforced override any other GPOs that have conflicting settings).
There are other ways of achieving the same goals, but if you're comfortable with this method so far, then that is what you would need to do. :)
Please say if I'm not explaining anything properly, and I'll try to be more clear.
Cheers,
Pete
You would need to 'un-enforce' these 2 GPOs to stop them from over riding the block inheritance flag.
(the main reason for using enforced GPOs is to ensure that the GPOs which are enforced override any other GPOs that have conflicting settings).
There are other ways of achieving the same goals, but if you're comfortable with this method so far, then that is what you would need to do. :)
Please say if I'm not explaining anything properly, and I'll try to be more clear.
Cheers,
Pete
ASKER
Unchecked enforced... now they are gone from OU I created can I add the domain administrator to the OU I created? Its now with the users OU all the previous SBS server GPOs apply to him... etc I still need to clean up GPOs...etc also the lockout policy that we have by default its apply to the Admins group how can I apply it to users as well?
ASKER
here is what i mean
GPO.jpg
GPO.jpg
As far as I remember (I've left work now so I can't say for sure!) the domain admins account is usually located in the Users Container (as in the picture I posted earlier? It's NOT an OU) in which case no GPO of any kind will apply to it anyway.
In fact when viewing through the GPMC, you will not even see the containers I'm talking about at all (because no GPO can apply to them it would be pointless to even see them through the GPO console) - That is where I advise you keep the domain admins account anyway.
As for your second question - Are you sure it's only applying to the admins group? The default domain policy would normally be linked at the Domain Level and would therefore apply to ALL OUs (therefore all user objects, and computer objects etc) in your entire domain...
I'm afraid I can't see what you mean from that pic... It's a tad small, can you explain it again in a different way perhaps? Show me where the links are for your domain (basically an expanded view of the GPMC?)
In fact when viewing through the GPMC, you will not even see the containers I'm talking about at all (because no GPO can apply to them it would be pointless to even see them through the GPO console) - That is where I advise you keep the domain admins account anyway.
As for your second question - Are you sure it's only applying to the admins group? The default domain policy would normally be linked at the Domain Level and would therefore apply to ALL OUs (therefore all user objects, and computer objects etc) in your entire domain...
I'm afraid I can't see what you mean from that pic... It's a tad small, can you explain it again in a different way perhaps? Show me where the links are for your domain (basically an expanded view of the GPMC?)
ASKER
Well now on the DC after I created this OU I can't see what is in it or access it I got the error I attached? But I see the changes on the exchange box no prob and exchange is a member server not a DC we only got 1 DC but I use Group Policy Management Console from another 32bit 2k3 because our DC is 64bit and its not compatible with 64bit
GPO.jpg
GPO.jpg
Hi, can't say I've seen that one before, but if the error is telling the truth, then all should be OK now...
Can you check and let me know?
Pete
Can you check and let me know?
Pete
ASKER
working now...
The current GPOs i got now "pic from the first post" i copied the default ones i renamed them how can i have the one i copied the active one? I don't see this policy but admins after 15 min or so PC get locked how can i apply this to the users too incase someone walk away for a while from their PC?
Thanks
The current GPOs i got now "pic from the first post" i copied the default ones i renamed them how can i have the one i copied the active one? I don't see this policy but admins after 15 min or so PC get locked how can i apply this to the users too incase someone walk away for a while from their PC?
Thanks
I'm sorry, I don't really understand?
The policies are assigned through the OUs or Domains they are 'linked' to (done through the GPMC) - If you've created a policy, but it's not active, then you need to 'link' it to something (if you link to your domain then it will apply to ALL users AND computers in that domain). If you need an explanation on how to do that then let me know.
If you have a policy that locks users workstations after 15mins of idle time, but it's only effecting a small group of people, then chances are that it's not linked in the right place - e.g. It's linked directly to an OU that only contains those few accounts - If you want it to effect EVERYONE, then the GPO that has that setting would need to be linked at the domain level instead.
Does that make sense?
Pete
The policies are assigned through the OUs or Domains they are 'linked' to (done through the GPMC) - If you've created a policy, but it's not active, then you need to 'link' it to something (if you link to your domain then it will apply to ALL users AND computers in that domain). If you need an explanation on how to do that then let me know.
If you have a policy that locks users workstations after 15mins of idle time, but it's only effecting a small group of people, then chances are that it's not linked in the right place - e.g. It's linked directly to an OU that only contains those few accounts - If you want it to effect EVERYONE, then the GPO that has that setting would need to be linked at the domain level instead.
Does that make sense?
Pete
ASKER
yes... I'm using GPMC under the domain I'm seeing 7 policies, default domain policy,SBS client computer....etc where can i tell who is it applied/linked to?
Ok, I'm at home again now so if you want screenshots it will have to wait til tomorrow...
But as an explanation - If you open GPMC, you can see a structure very similar to Active Directory - As you expand the domain and the OUs within it, you can see what look like 'shortcut' icons.
So for example, directly beneath your domain, you should see 'Default Domain Policy' with the little shortcut arrow next to it - This shows you that the Default Domain Policy is 'linked' to the domain itself, and will therefore apply to all user and computer objects in the domain (except for the ones that are blocking inheritance etc).
If ALL of your GPOs are linked in that same place, then they should ALL be applying to the entire domain. However if you cannot see any, then none of your GPOs are linked. So if you expand everything in GPMC, you should be able to see where all the links are, and therefore which GPOs are linked to which OU's etc.
An example of the 'shortcut' symbol I'm talking about is attached...
Shortcut.jpg
But as an explanation - If you open GPMC, you can see a structure very similar to Active Directory - As you expand the domain and the OUs within it, you can see what look like 'shortcut' icons.
So for example, directly beneath your domain, you should see 'Default Domain Policy' with the little shortcut arrow next to it - This shows you that the Default Domain Policy is 'linked' to the domain itself, and will therefore apply to all user and computer objects in the domain (except for the ones that are blocking inheritance etc).
If ALL of your GPOs are linked in that same place, then they should ALL be applying to the entire domain. However if you cannot see any, then none of your GPOs are linked. So if you expand everything in GPMC, you should be able to see where all the links are, and therefore which GPOs are linked to which OU's etc.
An example of the 'shortcut' symbol I'm talking about is attached...
Shortcut.jpg
ASKER
Pete...info is great i got the concept of GPOs ...but i still can't find the policy that lock computer in 15 min and it's only applied for the Admins can i get one more help
Thanks
Thanks
You can't do this directly as you want to, however you can do it using Screensaver options in a GPO.
In a new/existing GPO, go to User Configuration -> Administrative Templates -> Control Panel -> Display, and enable the following settings -
Activate screen saver: Enabled
Screen saver executable name: Enabled (Enter the FULL path to the screensaver file)
Password protect the screen saver: Enabled
Screen Saver timeout: Enabled (15)
This should be applied at a domain level if you want it to effect ALL users, and will mean that after 15mins of idle time, the screen saver will kick in, and when the user returns to the PC and either moves the mouse or presses any key, they will be prompted for their domain password before they can get back in.
I believe that is the only way to accomplish what you're trying to do!
Any further questions, just ask... :)
Pete
The downside is that you have to find a generic screensaver (if you have a company screensaver anywhere, this would be ideal, if not, some people just choose one of the text screensavers and just have the company name bouncing around the screen)
In a new/existing GPO, go to User Configuration -> Administrative Templates -> Control Panel -> Display, and enable the following settings -
Activate screen saver: Enabled
Screen saver executable name: Enabled (Enter the FULL path to the screensaver file)
Password protect the screen saver: Enabled
Screen Saver timeout: Enabled (15)
This should be applied at a domain level if you want it to effect ALL users, and will mean that after 15mins of idle time, the screen saver will kick in, and when the user returns to the PC and either moves the mouse or presses any key, they will be prompted for their domain password before they can get back in.
I believe that is the only way to accomplish what you're trying to do!
Any further questions, just ask... :)
Pete
The downside is that you have to find a generic screensaver (if you have a company screensaver anywhere, this would be ideal, if not, some people just choose one of the text screensavers and just have the company name bouncing around the screen)
ASKER
got it... The policies under the domain apply to every1& I created an OU add it TS server in it to create some GPOs for that server some the domain level GPOs I dont want it to apply to this OU how can I do that tho?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As for unused GPO's, you only *need* the Default Domain Policy and Default Domain Controller Policy. You can remove any other policies if you so wish and re-create them. If you want to find out if they are being used or not, used the Group Policy Management Console to see if there are any GPO objects not linked to any OU's. Alternatively, if you have any empty OU's with GPO's applied, then that would suggest it isn't being used.
You can push software installations by adding software packages to a GPO and applying it to an OU with a subset of users inside of it.