• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 263
  • Last Modified:

Group Policy Procedure

1. What is the best procedure for creating and implementing a new policy.

A. Create policy and link to the domain, specify who it applies to with the security filtering
B. Create OU, move users???  create and link GPO to OU?

2. Must all users in the domain have 1 single dns server, the AD DNS server ip?
3. I created a test GPO and linked it to the domain, added group at the bottom. Didn't work
    I then added an individual user from that group, then it worked. I'm puzzled.

I'm just getting my feet wet as you can see and  appreciate the help.
0
zen_68
Asked:
zen_68
  • 3
  • 3
1 Solution
 
Karl12347Commented:
A. Create policy and link to the domain, specify who it applies to with the security filtering
B. Create OU, move users???  create and link GPO to OU?

There is no right or wrong way to implement group policies, it all depends on the structure of your AD. if you have it structured by dept then you will not be able to move people into different OU's for every GPO.
It is best to apply a group policy to the top folder structure of a OU and then Use security to filter it out.

As for the clients, they should have that DNS server in config recieved from the DHCP server.
Not sure why your group did not work in Group policy. Is the group a security Global group? Do not create groups as domain local groups. Universal groups are only used for multiple domain forests with trusts.

Hoep this helps.
Karl
0
 
r_panosCommented:
Karl12347 is right, there's no right or wrong way.

The approach I use in my AD assessments is the following:

- I create an empty OU that will become the placeholder of all GPOs (except the default 2 of course);
- I create policies "on" that OU;
- I link the policies wherever I want to;

This way I have a placeholder and GPOs without impact to AD; I can test them, linkining them to test OUs, assigning permissions etc, etc; I can unlink them from "production" without deleting them, modify them, test them again and start all over.

But this is only an approach.

For what regards the second part of your question , Karl12347 was more then exhaustive. Clients may have as many DNS servers as you have your AD (preferably of the site they belong).
0
 
zen_68Author Commented:
On some clients I have a secondary dns which is not an AD dns server in case the DC (our only DC) would be unavailable, they would still have internet access. Stupid? Will this prevent GPO's from working? I read that on a post here about only having the AD DNS server entry.

No DHCP......all static
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
zen_68Author Commented:
"- I create policies "on" that OU;" ------------on or in?
"- I link the policies wherever I want to;"
0
 
r_panosCommented:
Created in; the empty OU becomes the container.

By linking the GPO wherever I mean I link it to multiple oU (if necessary).
0
 
zen_68Author Commented:
Why wouldn't you just use the Group Policy Objects container?

How about the DNS question? If I have an external DNS server ip as the secondary, does this have adverse effects on GP?
0
 
r_panosCommented:
No there's no problem on the GPO.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now