Solved

Questions for Group Policy,OU and others.

Posted on 2013-11-15
4
471 Views
Last Modified: 2013-11-15
I like to straighten out my old questions to understand group policy better, so please read all questions and hope you can answer.

1. For Active Directory, in what cases OU is really helpful? Is that just like a folder in file system to organize computers and users? In my case, I often have to a apply group policy to computers belonging to different OU. I wonder what OU is meaningful for other purposes.

2. In Group policy, I often read OU is the smallest unit you can apply group policy. I am not quite understanding this. If I have to apply single group policy to computers from different OUs (in Question 1), then I apply group policy to the domain root directly and can filter by 'security filtering' under Scope tab in the group policy. Wouldn't that be easier than applying group policy to an ou and later you find the group policy needs to be applied any portion of computer/user in another OU?

3. In Group policy Management, when I click domain, the right pane shows tabs 'Linked Group Policy' and has 'link order' column. Also the next tab is 'Group Policy Inheritance' and has 'precedence' column. Can you explain differences of the two tabs and what the column means and how I can take advantage of ordering GPOs here?

4. What is delegation tab on GPOs and where is useful?
0
Comment
Question by:crcsupport
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 200 total points
ID: 39651808
1. OUs are used for logical grouping of objects. As you said they can be compared to a folder for your files. Depending on your active directory structure these OUs can be organized by department, region, office, etc. This is highly variable and depends on your organization as to which OU structure will fit best.

Sometimes yes you may need to apply a group policy to multiple OUs if objects that it applies to are spread over different OUs.

2. OU is the smallest container you can apply it to. GPOs can be applied to the domain, sites and OUs. You can use security filtering regardless of where you apply the GPO. You can not attach a GPO to an individual user or computer account.

3.  Inheritance occurs if you have an OU under other OUs that also have group policy applied. The combination of policies is what gets applied to the computer or user. This can be overridden by blocking policy inheritance.

4. The delegation tab is basically the permission tab of the GPO. It determines what objects have what specific permissions on the GPO. It can also be used to deny read and apply in the event you want to block a gpo from being applied to a user or computer object.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39651814
Can you tell more about link order and precedence order?
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 300 total points
ID: 39651815
you can have all computers in one ou and can create global groups.
add computers to that group
now create multiple gpos, apply to single ou and do the security filtering unless you have delegated model.
In delegated model, this concept will not work.
also u can use wmi filters to differentiate computers running xp, win7 and so on
The Ou is useful for delegation in big setups

Linked gpos are applied group policies at perticular OU level
link order deside the precedence of GPO order to apply
the last gpo in the list from bottom will apply 1st
top gpo in the list will apply last, hence having precedence over gpos in the downlevel gpos
GPO inheritence:
This includes gpo from the top level in the hierarchy
means
This can be look at OU level, domain policies and top level ou policies will inherited by downlevel ous
you can block inheritence on OU level by selecting "block inheritence"
But policies which have been enforced cannot be blocked by above technic,
you cannot change the inheritence, but block the inheritence for all top level policies except enforced policies
you can change the precedence of GPOs by changing their order in list
finally,
delegation tab, you can control who can do what with each GPO
Means
you can give delegated permission to one group to only read and apply (security filtering)specific policies,
One group can edit GPOs,
One group can edit, modify, delete, change security of polices
etc
If you add user or group to Group policy creator owners group, then that user\group will hav ecomplete control over all GPOs in domain and can create, delete, modify, manage, with full control.
Hope that helps
Thanks
0
 
LVL 1

Author Closing Comment

by:crcsupport
ID: 39651867
Wonderful!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question