Re: Boy, did I screw up some Group Policies!
- From: Kurt <kurtl@xxxxxxxxxxxxxxxxx>
- Date: Sun, 26 Nov 2006 18:38:42 -0800
Martin L. Shoemaker wrote:
Does that mean they can be deleted by an Administrator via the file system?
Yes, but they generally have names like "GOEIRUTOI03049Oiewoiru", so you wouldn't know what you were deleting. Better to assign full control permissions (except apply policy) to your admin account and delete them uaing the group policy snap-in.
Education, please. What's an OU?
An "Organizational Unit". To create one, go to Active Directory Users and Computers, right-click on the domain, select New -> Organizational Unit. You can create test users and put them in the OU. If you right-click the OU and select properties, you'll have a group policy tab. When you define a policy at the OU level, it only applies to users (or computers) that are in the OU. Note that the standard containers (Users, Computers, etc) are special and you cannot apply group policy on those containers - create your own.
If you need to apply policies to specific groups of people across OUs, make a specific group for those people and permit the policy to be applied only to members of that group. Also, rather than create a policy that does everything, create multiple policies and name them according to their function, i.e. "Remove Run Dialog From Start Menu". That might not be possible for every policy if you want to apply them at various levels to specific users/groups, but common policies that apply to everyone are much easier to keep track of this way. Make sure you document multi-faceted policies well for future reference.
That vaguely makes sense to my limited understanding; but these rules were written by some authority somewhen in the past, and are not to be questioned lightly. If I knew what I were doing, I might be able to make an intelligent argument against them. It's not like the client is THAT hidebound. But in order to argue against "the way we've always done it", I'm going to have to understand why it's wrong. You've helped me to understand a bit better.
Thanks!
From your previous post, the instructions had you creating policies for groups of users and applying the policies at the domain level. That certainly works. If those users represented departments, say Marketing, Accounting and Sales, the more widely accepted method would be to create 3 OUs (named "Marketing", "Accounting" and "Sales"), Placing the appropriate users into those OUs, and creating policies there. You would also likely create a global group for each of those sets of users named similarly, and the same users in each OU would also be members of the corresponding groups.
Just a caveat here - OUs are logical containers where POLICIES can be applied and groups are entities to which you may assign PERMISSIONS.
You could start with a set of common policies and apply those policies at the domain level, granting "read and apply policy" permissions to all 3 groups. In each OU, any policies unique to each division could be created, applied and "Apply" permission granted to the group instead of each user. It's hierarchical, logical, self documenting, and I think you'd find that it is widely accepted as "best practices" .
....kurt
.
- References:
- Boy, did I screw up some Group Policies!
- From: Martin L. Shoemaker
- Re: Boy, did I screw up some Group Policies!
- From: Kurt
- Boy, did I screw up some Group Policies!
- Prev by Date: Re: Ie7 GPO needed !
- Next by Date: archive event viewer log files
- Previous by thread: Re: Boy, did I screw up some Group Policies!
- Next by thread: Ie7 GPO needed !
- Index(es):
Relevant Pages
|
