Solved

Questions for Group Policy,OU and others.

Posted on 2013-11-15
4
468 Views
Last Modified: 2013-11-15
I like to straighten out my old questions to understand group policy better, so please read all questions and hope you can answer.

1. For Active Directory, in what cases OU is really helpful? Is that just like a folder in file system to organize computers and users? In my case, I often have to a apply group policy to computers belonging to different OU. I wonder what OU is meaningful for other purposes.

2. In Group policy, I often read OU is the smallest unit you can apply group policy. I am not quite understanding this. If I have to apply single group policy to computers from different OUs (in Question 1), then I apply group policy to the domain root directly and can filter by 'security filtering' under Scope tab in the group policy. Wouldn't that be easier than applying group policy to an ou and later you find the group policy needs to be applied any portion of computer/user in another OU?

3. In Group policy Management, when I click domain, the right pane shows tabs 'Linked Group Policy' and has 'link order' column. Also the next tab is 'Group Policy Inheritance' and has 'precedence' column. Can you explain differences of the two tabs and what the column means and how I can take advantage of ordering GPOs here?

4. What is delegation tab on GPOs and where is useful?
0
Comment
Question by:crcsupport
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 200 total points
Comment Utility
1. OUs are used for logical grouping of objects. As you said they can be compared to a folder for your files. Depending on your active directory structure these OUs can be organized by department, region, office, etc. This is highly variable and depends on your organization as to which OU structure will fit best.

Sometimes yes you may need to apply a group policy to multiple OUs if objects that it applies to are spread over different OUs.

2. OU is the smallest container you can apply it to. GPOs can be applied to the domain, sites and OUs. You can use security filtering regardless of where you apply the GPO. You can not attach a GPO to an individual user or computer account.

3.  Inheritance occurs if you have an OU under other OUs that also have group policy applied. The combination of policies is what gets applied to the computer or user. This can be overridden by blocking policy inheritance.

4. The delegation tab is basically the permission tab of the GPO. It determines what objects have what specific permissions on the GPO. It can also be used to deny read and apply in the event you want to block a gpo from being applied to a user or computer object.
0
 
LVL 1

Author Comment

by:crcsupport
Comment Utility
Can you tell more about link order and precedence order?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 300 total points
Comment Utility
you can have all computers in one ou and can create global groups.
add computers to that group
now create multiple gpos, apply to single ou and do the security filtering unless you have delegated model.
In delegated model, this concept will not work.
also u can use wmi filters to differentiate computers running xp, win7 and so on
The Ou is useful for delegation in big setups

Linked gpos are applied group policies at perticular OU level
link order deside the precedence of GPO order to apply
the last gpo in the list from bottom will apply 1st
top gpo in the list will apply last, hence having precedence over gpos in the downlevel gpos
GPO inheritence:
This includes gpo from the top level in the hierarchy
means
This can be look at OU level, domain policies and top level ou policies will inherited by downlevel ous
you can block inheritence on OU level by selecting "block inheritence"
But policies which have been enforced cannot be blocked by above technic,
you cannot change the inheritence, but block the inheritence for all top level policies except enforced policies
you can change the precedence of GPOs by changing their order in list
finally,
delegation tab, you can control who can do what with each GPO
Means
you can give delegated permission to one group to only read and apply (security filtering)specific policies,
One group can edit GPOs,
One group can edit, modify, delete, change security of polices
etc
If you add user or group to Group policy creator owners group, then that user\group will hav ecomplete control over all GPOs in domain and can create, delete, modify, manage, with full control.
Hope that helps
Thanks
0
 
LVL 1

Author Closing Comment

by:crcsupport
Comment Utility
Wonderful!
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now