Group Policy Question 1

[bdoub1eu]

Okay, I heard a few different opinions on where to apply the group policy...I've heard if you want to implement the GP to the entire domain, it's easier to apply the GP at the domain level...Others have said to create a seperate OU and then add all the users into that OU and keep the domain GP in pristine condition????

Does it really matter whether you apply it at the domain level or in another OU that you create?

Thanks in advance!

 

[markdmac]

No, it does not matter. All that is important is that you plan ahead, design your GPO structure according to your OU structure and properly set the security for the GPO to ensure that the settings will only apply to the users or groups that you want it to.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[Bickyz]

if u apply to domain then all users including administrators will be effected. its better if u create a ou n place all those users there...and apply policy.

 

[markdmac]

Bickyz, sorry but that is incorrect. As I stated above you need to set the security properly. This is a step that most people miss and then have policies being applied where they don't want them.

As a general rule, I always set DENY for a policy to the administrators group to ensure you don't accidentally lock down the admin ID.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bdoub1eu]

My thoughts exactly! So how does this sound?

In Active Directory Users and Computers, I create a new OU in the domain. At that point, how do I get the users/computers into that OU? Do I create a group and then add the users or just add the users straight into the domain?

I'm trying to create a policy to automatically give proxy settings and disable changing them for the user...These options are under the user config in GP. I was able to sucessfully do this with an OU at the domain level, but like you said, since it is applied to the domain level, it affects all machines including admins and servers.

Thanks for the help!

 

[markdmac]

bdoub1eu,

Not sure who you were agreeing with.

Sounds like you have already done most of the work. I would suggest you not mess with moving your user objects around at this point.

I suggest you do the following.

Create a group for your users that you want to configure. Call it something helpful like proxysetgroup.

Right click the domain in ADUC. Select properties.

Highlight your OU and click the properties button. Click the SECURITY tab.

Remove the following groups from the list:
Everyone, Domain Users, Authenticated Users.

Add the proxysetgroup.

Now configure the permissions. If you scroll to the end of the list you will see that the last setting is to APPLY or DENY the policy. Set this to Apply for the proxysetgroup and set it to Deny for the Administrators group.

This will prevent the policy from affecting your administrators and ensure that only those users you put int he proxysetgroup actually get configured.

Note: If you have users you want to block from getting the Internet, duplicate your GPO but put in a bad proxy address. Configure these users with the bad proxy and lock them out from changing it.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bdoub1eu]

Thanks for the response,

Here's what I did...This is all in a test environment...

I created a new OU in the domain called OU1, added a group into that OU called proxy set group and added one user into that group...Then I configured the group policy and set it for no override so the local computer policy wouldn't take precedence...

You mentioned:
Right click the domain in ADUC. Select properties.

Highlight your OU and click the properties button. Click the SECURITY tab.

I don't see a security tab anywhere...All I see is the General, Managed by and Group Policy tab...

I did test for the fun of it to see if the settings would be pushed out to the one client and they weren't.

 

[bdoub1eu]

Ah, nevermind...I see it now...So why do I remove the Everyone, Domain Users, Authenticated Users from the permissions list...They don't have the allow policy checked so the GP wouldn't be applied to them would they?

Okay, recap...I created a new OU, created a group called proxysetgroup, added a user (test), went into the properties of the OU and removed the authenticated users group leaving only the Domain admin, enterprise admin, system group and then added the proxysetgroup into that permission list and checked the allow group policy.

I logged off and logged back in and the settings weren't pushed out...Should I have checked the NO override option?

 

[markdmac]

Did you update the policies on the local machine?

on WinXP run

GPUPDATE /FORCE

on Win2k it is two commands

SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE

Reboot the workstation.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[bdoub1eu]

Mark, thanks so much for your help! I'm going to take this one step at a time...Everything you're saying is making sense and I have tested it in a lab environment and it is working when I move the individual user...If I try and create a group, add the users and then move the group to the new OU, it doesn't work...

Okay, I'm still a little confused so bear with me...I'm new to GP...

Right now in the Production environment, in ADUC I have the following under the domain.com:

Builtin
Computers
Domain Controllers
Foreign Security Principals
Users

The Users above is a users container that contains all the user accounts in the domain. So essentially what I have to do is create a new OU and MOVE all the user accounts that I want the GP to apply to into the new OU? From there, I modify that GP on that OU and then in the security tab, apply the policy to each of the users? So I guess it's okay to have user accounts in different containers or OU's???

Mark, thanks for the help! I really do appreciate it!

 

[markdmac]

You are correct on all accounts, I just want to stress that you DON'T HAVE TO move the users. You could apply the new GPO at the domain level and set the security to your user group. All will flow then and so long as you are setting the security, then you won't need to worry about the GPO hitting other accounts like the admin or other user groups.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[segil]

Hello,

sorry I've reopened this old thread and I hope I don't break any rules on this board, but this topic is interesting and I've got one question about it.

I'm also looking at a way how to implement GP on our domain. Currently we have one domain policy with some settings about security.
Our domain consists of OUs that reflect the structure of our organisation, like:
- Administration
- ICT
- Project management
etc..
Suppose I want to create several GPs. One GP is to control all users in one OU. That's easy, because I can setup a GP and link it to that OU. Next GP is meant for laptop users and they're spread across the OUs. Other GP is maybe for all the female employees (just hypothetically speaking!) in the company.
Should I create for every GP a different OU, create a security group for the members of the GP and link this security group to this OU? Is this correct?
Let's say I've created 20 GPs in one domain, then I need to create 20 different OUs to link these GPs the the users/computers?

I hope somebody can shed some light on this subject.

All help appreciated!

 

[markdmac]

You would need to have a way to identify your laptop users. You could move all those users into a separate OU or you could simply create a global group for laptop users and add the users to that group. You could then apply the GPO to the Group rather than an OU.

OUs should be used to create a logical structure that either mimics your physical or organizational structure or in such a manner that will ease administration. If you get too OU creation happy then you could end up with a mess on your hands.

Lots of talk in this thread with applying GPOs and not enough about what it is that people want to DO with the GPOs. That will have a bearing on things too. So, what do you want to accomplish with your GPOs?

I hope you find this post helpful.

Regards,

Mark

 

[schooltechnical]

can anybody tell me how to duplicate a GPO? I need to stress I do not use the new GPMC tool: I create my GPOs within active direcory.
thanks, try and have a good day everyone

 

[markdmac]

It is possible even if you are nto using GPMC.

First you need to know the GUID of the GPO you want to copy. The create a new policy and find its GUID.

Then all you need to do is copy the contents of the first policy into the new one. Just browse to C:\Windows\Sysvol\Sysvol\Policies and copy the contents of the one policy to the next.

I hope you find this post helpful.

Regards,

Mark

 

[schooltechnical]

markdmac, this is great stuff, you're a star (again!)
thanks, try and have a good day.

 

[segil]

Hello Markdmac,

I wasn't aware that it's possible to link a GPO to a security group... always thought this only could be done to a domain, site or OU.

For the moment I don't need to create additional GPOs, but I'm investigating this subject and was wondering how the idea of setting up a GPO concept should be.
But let's say I need to create 4 different GPOs, for example:
1. All the laptop users shouldn't be allowed to modify their network settings
2. For some people in the R&D department a logoff script needs to be run, which copies files to the file server.
3. For the managers of the departments: the logon/logoff events should be recorded
4. The female employees have a different background on the computer than the male employees.

So a lot of different groups of people that need to be 'controlled'. Creating additional security groups and maybe OUs, doesn't that create an extra burden on AD? Or is it alright if a user is member of 10-100 groups?

 

[segil]

PS. every department is an OU in our AD. So the R&D dep is one OU, etc..
(I can't edit my previous post unfortunately)

 

[markdmac]

Sorry for the delay in responding, work has been really nuts for me lately.

It is not possible to link a GPO to a security group. It is however possible to have a script check for a users group memberships and take action based on that. the script exists in a GPO.

Design your GPOs in a hierarchical fashion with all common settings defined in an OU at the domain level, then get more granular in control at the individual OU level.

I don't like to have to support multiple scripts, and as such my development of scripts tries to minimize the need for that to prevent scripts from stepping on each others toes.

Having user be a member of 100 groups would slow down their login I would imagine. Can't say for sure though, there are a lot of variables such as hardware and total number of users etc.

I hope you find this post helpful.

Regards,

Mark