Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W2K policies

Status
Not open for further replies.
Desperados

Desperados

IS-IT--Management
Feb 13, 2002
13
IT
Dears,

we are trying to apply computers and users’ policies in W2K active directory.

We partially succeeded in such task, but only for what concern the user's policies when the computer is in the active directory computer folder.
When we move the machine from the computer folder to an OU, in order to apply the computer policies, the rules are applied also to all the users which logs on this computer(even if they are in an another OU with different user's policies).
This means that no user's policies are applied correctly.

Please help us.
 
Sort by date Sort by votes
When you place a computer in an OU, the policy will be applied to the computer, and all users who use that computer.

If you want to apply to users only, just place the user accounts in the OU, and leave the computer accounts in a general container.
 
Upvote 0 Downvote
Desperado,

Greg is right - i think perhaps the design of your GPOS are the problem. Remember there are two distinct portions of each policy - computer and user configuration. You should try and keep user and computer settings in seperate policies IMHO (and disable the unused portion).

That way each policy is designed to be applied to a specific users or computers - then you are less likely to get conflicts.

The design stage of these Group Policies is very very important if you have any number of users - it can get very complicated if you don't go through this phase properly.

Cheers
 
Upvote 0 Downvote
Hi Greg013,

Thanks for your attention, but now we try to explain better our problem.
This is our configuration's tree:

Domain
|_Computers
|_Users
|_ Main_OU <- The Computer &quot;X&quot; is here
|_OU_1a <- The User &quot;A&quot; is here
| |_OU_2a <- The User &quot;B&quot; is here
|
|_OU_1b <- The Computer &quot;Y&quot; is here

For each OU 'Main_OU', 'OU_1a', 'OU_2a' and 'OU_1b' are applied different policies.
If the user &quot;A&quot; using computer &quot;Y&quot; logs on to the system via the domain, we'd like that for the user are applied the user's policies implemented in the &quot;OU_1a&quot; and for the computer are applied the computer policies implemented the &quot;Main_OU&quot;.
How can we proceed to implement this configuration?
 
Upvote 0 Downvote
I think you're making your structure much more complex than it needs to be. If you do as you outline above, you have to deal with inheritance logic (blocking, allowing, etc.). Much better to do as follows:

Domain
|_Computers
|_Users
|_ Main_OU <- The Computer &quot;X&quot; is here
|_OU_1a <- The User &quot;A&quot; is here
|_OU_2a <- The User &quot;B&quot; is here

Put all your computers in the Computer OU, then place the users in the appropriate OU containers. The simpler you make this tree, the easier it will be for you to support it. If you start with the structure you outlined above, you'll have nothing but headaches as your network grows.
 
Upvote 0 Downvote
Yes simple is definately best here !

I although am not a fan of lumping all computers together in a single OU - but I guess it depends upon situation.

How about

Domain
| ----Users
|--OU1
| ----Computers
|
| ----Users
|--OU2
| ----Computers

That is seperate OUs for different business/location areas and a sub-ou for users and clients in both.
This gives more control/flexibilty over different types of business users/clients.

Then have a domain level policy for computers and one for users with very minimal settings that you want to apply to all users and all computers (just password stuff and basic restrictions).

At the OU level have a basic client policy and a basic user policy and replicate or link these policies to each OU.
Then create a standard client and standard user group in each OU and assign policies by putting them in these groups.

Then you can have specific policies say for remote users and apply these via a remote user group.

Also maybe have an exception group in each OU which has deny access to all policies except domain ones which you can make administrators/or similar members of to get round any restrictions.

This is a bit more work initially but it is easier to keep track of in my opinion.

Well that's my waffle over with :)
Hope it's of some help.
 
Upvote 0 Downvote
-----welshguy (TechnicalUser) Wrote:
You should try and keep user and computer settings in seperate policies IMHO (and disable the unused portion).
--------------------------------------------------------

That's the solution...
Thank you very much to greg013 and welshguy!

Regards :D
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JoshuaThompson
  • Locked
  • Question
Software Deploy Group policies are not working at remote site
Replies
0
Views
76
JoshuaThompson
JoshuaThompson
greenwave2
  • Locked
  • Question
Server 2008 Active Directory Password Policies
Replies
0
Views
37
greenwave2
greenwave2
David92595
  • Locked
  • Question
Using Group Policies to Lock Down user PC's
Replies
1
Views
60
ShackDaddy
ShackDaddy
ls62
  • Locked
  • Question
W2K3 Server can not browse the internet
Replies
7
Views
120
ls62
ls62
Stevehewitt
  • Locked
  • Question
Merging software deployments group policies
Replies
3
Views
67
58sniper
58sniper

Part and Inventory Search

Sponsor

Back
Top