Re: Re: Applying GPO only to certain computers within an OU.....
- From: lforbes <UseLinkToEmail@xxxxxxxxxxxxxxxxx>
- Date: 7 Apr 2005 19:30:02 -0400
"Bruce Sanderson" wrote:
> Perhaps there is some complication in your situation that I
> don't know
> about, but here's my suggestion.
>
> I suggest avoiding the complexity of attempting to manage the
> application of
> GPOs via security and groups. Create a new OU as a child of
> the existing
> OU, apply the Software distribution policy to that sub-OU and
> move the
> computers you want to have that GPO applied to into the new
> sub-OU. Any
> GPOs applied to the parent OU will be inherited by the new
> sub-OU, so the
> moved computers will still get those GPOs applied to them.
>
> One of the big features of Active Directory is the
> flexibililty to move
> things around and change the OU hierarchy easily; take
> advantage of that to
> avoid the need to use more complex features such as security
> filtering.
>
> --
> Bruce Sanderson MVP
>
> It's perfectly useless to know the right answer to the wrong
> question.
>
>
> "Momo" <louey-3@xxxxxxxxxx> wrote in message
> news:1112867143.894012.63330@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> > We are in the process of deploying some software via GPO to
> computers
> > within an OU. The problem is we don't want to apply the
> software to all
> > machines within the OU.
> >
> > So far what we've successfully done is create a Group and
> add computers
> > which we don't want the policy to apply. And then in the GPO
> secuiryt
> > properties deny them group from reading and applying the
> policy. This
> > has successfully worked.
> >
> > But what we would rather is reverse and have computers which
> we wnat to
> > apply the policy in the group. What we tried is by default
> deny the
> > "Authenticated Users" group from applying the policy giving
> them read
> > on. Then for the group give them read and apply. But this
> hasn't worked
> > successfully........
> >
> > Has anyone tried something like this or have any
> suggestions....please
> >
Hi,
I agree with Bruce. Don?t mess with the default security settings. If
you setup to deny then they aren?t getting ANY of the policy.
Just create a child OU and move the machines into that and then move
them back again when the install is done. I have thousands of machines
and manage their software installs this way all the time.
Cheers,
Lara
--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Applying-GPO-computers-OU-ftopict355034.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1125126
.
- References:
- Re: Applying GPO only to certain computers within an OU...........
- From: Bruce Sanderson
- Re: Applying GPO only to certain computers within an OU...........
- Prev by Date: Re: How to force time zone change down to workstations?
- Next by Date: Re: Group Policy Wallpaper not changing
- Previous by thread: Re: Applying GPO only to certain computers within an OU...........
- Next by thread: Password Policy and Effective Settings
- Index(es):
Relevant Pages
|
