Re: New to Active Directory - we need help configuring GPO
From: Ali (ali_mo_at_yahoo.com)
Date: 04/09/04
- Next message: Chris Hall: "Re: DNS Error"
- Previous message: Scotty44: "Logon problem with two win2000 DC"
- In reply to: Brian Desmond [MVP]: "Re: New to Active Directory - we need help configuring GPO"
- Next in thread: Ace Fekay [MVP]: "Re: New to Active Directory - we need help configuring GPO"
- Reply: Ace Fekay [MVP]: "Re: New to Active Directory - we need help configuring GPO"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Apr 2004 12:14:39 -0700
Ok here is the deal. We are just very confused. First of
all Creating the GP on the domain level..we have seen
different things happening:
1. The GP does not filter properly down to an OU
2. Upon creating the GP at the domain level...and blocking
such things as access to "control panel", "run in the
start menu"...the administrator loses access to these
things as well.
3. We did somehow get the GP to work properly for a test
user. However, we logged in as the user on two different
test pc's and on one PC the user has no access to run,
control panel. On the 2nd PC the user has access to those
things. What is going on?
I have been able to create a GP and place it into an
actual OU and get everything to function properly.
However, doesnt that defeat the purpose?
So I guess my question is whether or not we should be
creating the GP and applying it at the domain level or
just place it in each OU(which seems to work).
As for creating users...as you know we have created OU's.
We want to have the ability to place a users into multiple
OU's...for example an 'ADMIN' person might also need to be
within 'OFFICE staff'. Do we create groups within the OU
to do this?
We are relatively in-experienced when it comes to AD. Is
there something drawn out step by step. We are just
looking for simple security measure which allow us to
control what the users have access to. Of course....all
admin ppl need to retain their access.
Thanks again.
>-----Original Message-----
>That is not the best procedure. To absolve them of all
the restrictions in a
>certain GPO, add the group to the GP's ACL, and deny the
right to apply the
>policy.
>
>--
>--
>Brian Desmond
>Windows Server MVP
>desmondb@payton.cps.k12.il.us
>
>http://www.briandesmond.com
>
>
>"Ali" <ali_mo@yahoo.com> wrote in message
>news:17c2b01c41e5d$f52b1650$a601280a@phx.gbl...
>> Hello,
>>
>> We're trying to institute AD on a Windows 2000 server.
We
>> have 1 domain (no sites) and have created multiple OU's
to
>> delegate security. We'd like to set Group Policy at the
>> domain level for passwords, control panel limitations,
>> etc. so it filters through the whole domain. We want
all
>> users in the domain to have the same parameters.
>>
>> There is a limited group that needs access to everything
>> on the domain. In all the literature we've read, we are
>> hesitant to use No Override on Domain GP or Block policy
>> Inheritance on OU's.
>>
>> To give full access to the limited group of users
>> mentioned above, it seems like we need to add this group
>> to Domain Admins. Is this the best procedure?
>>
>> Everything we read is ambiguous, and it seems as if
there
>> are multiple ways of doing things. We want to make sure
>> that we are applying GP's to their fullest advantage.
>>
>> We tried different ways based on what we have picked off
>> the internet. For the most part, we were able to make a
GP
>> work. However, when created at the domain level, it
seems
>> to affect the rights of the Domain administrator. How
can
>> we get around that?
>>
>> Is there a step by step guide that gives explicit
>> instructions or is everything generally written?
>>
>> Any help is greatly appreciated.
>
>
>.
>
- Next message: Chris Hall: "Re: DNS Error"
- Previous message: Scotty44: "Logon problem with two win2000 DC"
- In reply to: Brian Desmond [MVP]: "Re: New to Active Directory - we need help configuring GPO"
- Next in thread: Ace Fekay [MVP]: "Re: New to Active Directory - we need help configuring GPO"
- Reply: Ace Fekay [MVP]: "Re: New to Active Directory - we need help configuring GPO"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
