Re: questions on group policy - OU vs local computer GP (gpedit.msc)
- From: "Dave Britt" <davebritt@xxxxxxxxxxx>
- Date: Fri, 2 Jun 2006 00:47:54 +0100
Tony
I would recommend that you configure a small lab environment for testing and
moving forward.
As a start it is common to seperate users from machines for example you may
have a "Workstations OU" with all of your computer accounts in. On this OU
you would configure you Computer Configuration. If you are looking for
different settings for Laptops vs Desktops you could create two OU's one for
Laptops and One for Desktops.
When the machine boots up you get the message "applying computer settings"
at which point the machine is querying Active Directory for all of the
policies that apply to that machine. It works this out by looking at Local
Policy, Site Policy, Domain Policy and the OU policy to find the machines
computer Account. Any group policy that have a Computer Configuration within
them are processed and effect the machine.
Users can then be created and seperated out into different Organisational
Units, maybe by Department or location, the key being create OU's where you
belive different groups of settings are required. For example you may have
an OU for sales which has very restrictive policy setting, however for
marketing may they need to be different.
The second phase of group policy is then when the user logs on and group
policy is processed again looking for all User Setting Local Machine, Site,
Domain and the OU for which the users account resides. Any Group Policy that
have User Configuration elements within them are processed and effect the
user.
Experiment in the Lab and come back for more info
--
Dave Britt
Dave's Weblog
http://davebritt.blogspot.com
<tractng@xxxxxxxxx> wrote in message
news:1149204286.339926.292050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Guys,
I was thinking about setting up GP on the OU level. How do I go about
setting the policies up if I want to use settings on both the users &
computer configurations? Remember that some of the settings are
available to either the users or computer configurations, but not both.
What if the users don't belong to that OU? Do I add them in the
"security" tab to so the policy applies to them as "read". I tried it
but no luck.
But when I use GP on the local policy using gpedit.msc, it works great.
No matter who logs in, the configuration works.
Thanks in advance.
Tony
.
- References:
- Prev by Date: Re: User can delete the icons from all desktop folder on Windows 2000
- Next by Date: Re: Restrict drives by user
- Previous by thread: questions on group policy - OU vs local computer GP (gpedit.msc)
- Next by thread: Re: questions on group policy - OU vs local computer GP (gpedit.msc)
- Index(es):
Relevant Pages
|
