Solved

Is there a better/easier way to configure GPO?

Posted on 2008-10-15
3
221 Views
Last Modified: 2010-03-17
i want to setup a GPO for our users and a GPO for the administration on the network...meaning, the managers of all the departments.

now, on my test server that i play around on, in AD i created 2 new OUs. Office Users and Administration.

in group policy editor, i made a GPO and named it Office Users. i set all their restrictions and enforced the policy for that group.

staying in group policy editor, i made another GPO and named it Administration and i just left it alone, didnt change any options.

i make a test user, john, and by habit, i put him in the normal AD users folder. i take him from the users folder and move him to the Office Users folder, i get a pop up that states something along the lines of....if can damage the account if moved from the users folder....i am sure you guys know the pop up i am talking about.

once i move john over to the Office Users OU, i log in on my workstation that is already connected to the domain, and all of the restrictions are in effect. i was not surprised, this is what the GPO is for. i logged my user out, moved him from the Office Users OU to the Administration OU and when i logged back in as john on the desktop workstation, the restrictions were gone and he had access to everything.

so, everything i did seemed to work just fine.

here is my question...

is there a better way to do what i am doing?

my only problem is that if i want to change a setting for that user, i would have to move them from one OU to the other.
0
Comment
Question by:tomdlgns
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
ckozloski earned 125 total points
ID: 22721745
No. You move them from one group to another. It's easier that way. You can apply your GPO's to user groups instead of OU's and just change the group membership of the person you want the settings to change on.
So, create two groups: Administration and Office Users
Change the enforcement for your two GPO's to Administration and Office Users
Then change the group membership of your test user to Office Users. Create another test user and add him to the group Administration.
Log in with the two and see the difference.
Hope this helps.
0
 

Author Comment

by:tomdlgns
ID: 22721851
ok, that is a good way to do it as well.

can i corrupt the user account if i keep moving it back and forth from folder to folder?

what role does the member of tab have in the AD user properties?

i have noticed, at times, if there is a restricted user on my network, for example, they cant change the power settings on their computer, if i click the member of tab, and add them as an administrator, they now have access to change power settings.

i suppose i might be looking into this too deep.

0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22722082
No, you have to look into group policies very deeply. They can get confusing and you can actually create a lot of issues just by implementing GPO's. If done right, however, they are an administrators dream come true.
You can't corrupt a user account by moving it from OU to OU. What can happen is that anything that may be tied to that OU will be lost when you move it to a different OU and vice-versa.
And yes, if you put a user in the Administrators group, you give them administrative rights to the computers and they will be able to change all that stuff and then some. Better to use the Power Users group instead.
You can also use group policy to assign what rights they do have access to on the local machine such as power settings and things like that.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now