Re: starting over with GPO
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 14 Feb 2007 08:23:07 -0700
Account policies are handled uniquely.
For them to have impact on domain accounts these must be
set in a GPO linked to the domain, such as you have outlined.
If set differently in a GPO linked to an OU the Account policies
will only have impact on machine local accounts on the machines
placed in that OU.
So, yes, the Account policies will apply as you intend if you
do as has been described.
When an account object (user or computer) is within an OU so
that it has both domain linked and OU linked policy settings being
applied to it, the settings from the domain linked GPO will not be
applied only if those very same policies have different settings in
the OU linked GPO (or if the OU blocks inheritance from the domain
linked GPOs). In other words, if a value is set in domain linked GPO
and not in the OU linked GPO, then the value from the domain linked
GPO will be effective.
If you have no need to set computer policies for the joined machines
differently then all computer policies could be set at domain level.
Oh, and by the way, since there is already a Users container you
probably should decide on a different name for your Users OU (the
predefined Users container is not an OU and cannot have GPOs
linked to it, it is just a container).
Roger
"UWRFREPORTER04" <UWRFREPORTER04@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CB946CCC-5991-43DB-95AD-46FD5B1D885B@xxxxxxxxxxxxxxxx
OK, thanks. I only need to link the User OU for my domain users. The
domain
policy is applied throughout the entire domain regardless of where it is
linked to.
My only worry was the account policies wouldn't take affect if it wasn't
linked.
You see no problems with how I want to set it up on a small domain? I was
having issues in my lab environment. Since I'm the onlyl one connected to
the new domain, I decided it would be best to test a couple settings at a
time, log on as different users and see if it works.
I don't need to create a seaparte OU for computers, right? I don't plan
on
setting any additional computer config settings for individual computers
or
departments.
"Laura E. Hunter [MVP]" wrote:
Your description does not take into account the concept of Group Policy
Inheritance. By linking a GPO to the domain level, all OUs within the
domain
will inherit those domain-level settings by default. In the example you
describe, you would only need to link the Domain GPO to the domain and
Users
GPO to the Users OU - in other words, you would not need to link the
Domain
GPO to the Users OU a second time.
See the following link for a description of Group Policy Inheritance:
http://technet2.microsoft.com/WindowsServer/en/library/212eb1fd-11f4-465f-b243-73e542d06b2c1033.mspx?mfr=true
HTH
Laura E. Hunter - MVP: Windows Server - Networking
"UWRFREPORTER04" <UWRFREPORTER04@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:F61ACD30-FB3D-4D57-BE5B-240BDC4453B5@xxxxxxxxxxxxxxxx
I decided to start over with figuring out my problems with GPO and
accept
the
possibility the way I have my test lab set up is a reason not
everything
is
being applied the way I want or how I think it should be. Ii'm running
a
180
day trial of server 2003 on virtual pc, connected to a router-connected
to
a
modem-back down to my laptop.
I decided to test it in a real environment I'm working on. The new DC
is
not live and I'm the only one on the domain and I'll use myself as a
test.
Here is what I want to do, want to make sure I have the right idea.
Create a default domain policy with the account policies (password,
account
lockout, etc), apply that to the entire domain.
Create an OU called Users OU and place all our users into that and
create
a
new gpo and link that gpo to the Users OU.
For a few in the IT dept, I will create a separte OU called IT and only
link
the default domain policy so they don't get applied the same settings.
My question is when I'm linking gpos for the Users OU, what order does
it
need to be linked. I read that the last OU is applied. I want the
default
domain policy account policies to take affect.
If I have
1: Users OU
2: Default Domain Policy.
What would be the result. I don't want the account policies to be
ignored
because there is nothing set in the Users OU.
Please let me know if this sounds good or seems like it would work (in
theory) the way I have it designed in my head.
.
- References:
- Re: starting over with GPO
- From: Laura E. Hunter [MVP]
- Re: starting over with GPO
- From: UWRFREPORTER04
- Re: starting over with GPO
- Prev by Date: Re: GPO still being applied to user
- Next by Date: Locked out of group policy
- Previous by thread: Re: starting over with GPO
- Next by thread: Re: starting over with GPO
- Index(es):
Relevant Pages
|
