Re: Multi site group policy - best practices question.

In general it makes sense to configure a GPO at the domain level that you
want to apply to all users in the domain. If you have different needs at
each site then you could do as you propose and create an OU for each site
with a GPO linked to each OU with the additional Group Policy settings
defined that each site needs. By default any setting defined [other than
password/account policy for domain users which is computer configuration] at
the OU level would override a setting that is also defined at the domain
level unless the domain GPO had no override enabled on it. The way you
propose should also work well though personally I would use a domain level
GPO with common settings that I wanted applied to all domain users and use
no override if I wanted to enforce those settings. You will find Resultant
Set of Policy in planning mode helpful in checking to see if the settings
are being applied as you would expect. --- Steve


"WS" <me@xxxxxxxxxxx> wrote in message
news:ej1nd27vFHA.724@xxxxxxxxxxxxxxxxxxxxxxx
> Hello,
>
> We have a multi-site singe domain organization, with each site having some
> specific "users" group policy requirements that the other sites do not.
> Accordingly, we have create a separate OU for each site, and divided each
> using sub-OU's for users, computers, etc.
>
> I've identified a set of policies that are common to both site's "users"
> OU, and my plan is to create a generically named policy and link it to
> each site's corresponding OU, leaving those items which are NOT common, in
> the "not configured" state.
>
> For the policies that are site specific (e.g. Folder redirection), I'm
> proposing to create a separate GPO and link it to the appropriate OU,
> placing it second in the order of application.
>
> Is this best practice when it comes to group policy application? From the
> research I've conducted before posting, it appears so, but I'm am not
> totally convinced.
>
> Any feedback would be most appreciated.
>


.

Relevant Pages

  • Re: policy for only two computers
    ... a setting in a Domain-linked GPO then the setting in the Domain-linked GPO ... what happens if there are conflicting settings at the same level? ... go to the Group Policy tab and click on the New... ... the Computer Configuration half and the User Configuration ...
    (microsoft.public.win2000.group_policy)
  • Re: iNTERACTIVE LOGON welcome screen - make it go away
    ... I created a custom ADM file for these two settings ... and imported it into the GPO under the Computer Administritative templates. ... really great expertise in Group Policy often reply to posts including ... doing a gpupdate on that domain controller which ideally would be the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... User and Computer settings a single GPO,. ... OU with the Terminal Server computer accounts, ... See in particular the section called "Group Policy Loopback ...
    (microsoft.public.windows.group_policy)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... GPO security settings from the defauts. ... Restart the workstation computer and the Terminal server, ... I've chosen these settings only because the affect is easy to observe. ... add check mark in the Deny column for Apply Group Policy ...
    (microsoft.public.windows.group_policy)
  • Do Not Execute Group Policy for Admins Group
    ... so that the group policy will only apply to a certain group of users ... domain admins that logon to a computer in that OU). ... In this case the GPO would not ... it's intent is to change the user settings ...
    (microsoft.public.win2000.group_policy)