Hello,
We have a pretty straightforward setup with regards to our OU's and GPO's.
Each Department has an OU, so Procurement, PRO, Marketing, etc.
Each of these departments have their own GPO and they are working fine.
We have one General Policy at root level for passwords, backgrounds and common shares.
The rest as above are specific to each OU.
Now a new policy has been implemented to prevent USB keys from being used.
However top management have asked me not to apply it to the Management OU.
I believe I have 3 ways of doing this but I really don't think they are the right ways?
1. Create a new Policy at root level and Block Inheritance on the Management OU and Apply the single "General" Policy to Top Management OU and nothing else (for passwords, backgrounds, etc.)
2. Modify the Group Policy for each of the 7 departments to include these new settings and keep the Top Management OU the way it is.
3. Something about modifying the security permissions not to apply that specific policy on the Top Management OU.
Ideally, if possible, I'd like to keep the route "General" policy and apply all the settings from it to all OU's except those specific USB settings to the Top Management OU. This would ultimately save adding additional root GPO's or similar.
What would be the correct or best practice way?
(p.s.) we have Windows 7 and Windows XP machines so we had to import the ADM file for the XP machines.
Thanks.
We have a pretty straightforward setup with regards to our OU's and GPO's.
Each Department has an OU, so Procurement, PRO, Marketing, etc.
Each of these departments have their own GPO and they are working fine.
We have one General Policy at root level for passwords, backgrounds and common shares.
The rest as above are specific to each OU.
Now a new policy has been implemented to prevent USB keys from being used.
However top management have asked me not to apply it to the Management OU.
I believe I have 3 ways of doing this but I really don't think they are the right ways?
1. Create a new Policy at root level and Block Inheritance on the Management OU and Apply the single "General" Policy to Top Management OU and nothing else (for passwords, backgrounds, etc.)
2. Modify the Group Policy for each of the 7 departments to include these new settings and keep the Top Management OU the way it is.
3. Something about modifying the security permissions not to apply that specific policy on the Top Management OU.
Ideally, if possible, I'd like to keep the route "General" policy and apply all the settings from it to all OU's except those specific USB settings to the Top Management OU. This would ultimately save adding additional root GPO's or similar.
What would be the correct or best practice way?
(p.s.) we have Windows 7 and Windows XP machines so we had to import the ADM file for the XP machines.
Thanks.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 14 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.