Linking GPOs to different OUs within the same domain
From: Eshprof (Eshprof_at_discussions.microsoft.com)
Date: 02/28/05
- Next message: Jims: "Re: ADAM Bind attribute question"
- Previous message: Allen Firouz: "RE: hide/remove locations in save as and open"
- Next in thread: Chriss3 [MVP]: "Re: Linking GPOs to different OUs within the same domain"
- Reply: Chriss3 [MVP]: "Re: Linking GPOs to different OUs within the same domain"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 28 Feb 2005 08:11:07 -0800
I am finding myself in a tough spot of having to figure out how I'm going to
setup a domain structure and how to apply GPOs to it. Here is my
situation....
I am in an environment that has over 10,000 workstations and equally that
number of users. Currently the policies are applied using local policy! (I
know I know... that's NOT good. That is part of why I was hired... to fix
that!) Anyway, the OUs are currently setup that the workstations and users
are in a seperate hierarchy like so (I'm using generic names for the sake of
drawing his out)...
Workstations Root OU
|_ Workstations1 OU (There are about 8000 machines in this one)
|_ Workstations2 OU
|_ Workstations3 OU
GPOs are not being applied at all to the above structure.
The users OUs are setup like the following...
Root Dept OU
|_ Dept OU 1
|_Dept Group OU
|_Dept User OU
There are approximately 200 Dept OUs. By the way, this is a government
environment and not a company environment.
Again, there are no GPOs being applied. All policies (Computer and User
portion) are set using local policy, per machine. I have called several
meetings to come up with an OU structure that would best utilize using GPOs.
Here is my quandary...
If I leave the Workstation hierarchy the way it is, I could apply a GPO per
OU. That sounds great, but the problem that arises is that if I have
computers in there that have to have a different setting, the GPO begins to
fall apart, since local policies are the weakest. I could take them out and
put them in their own OU and not apply a GPO to them at all, but only local
policy. This rapidly becomes an "all or nothing" thing, since blocking GPO
inheritance or choosing not to apply will become a nightmare. The other
thought is to consider the following structure....
Root Dept OU
|_ Dept OU 1
|_Dept Group OU
|_Dept User OU
|_Workstations Root OU
|_ Workstations1 OU
|_ Workstations2 OU
|_ Workstations3 OU
This stucture would mean that the "Workstation Root" hierarchy would be in
EVERY Dept OU (that means putting it in over 200 times.) I couldn't create
one GPO for Workstations1 OU like the first OU structure and have it apply to
all 8000 machines. This would require me to create one GPO for Workstations1
OU and then link it to all 200 instances. That would be the same for
Workstations2 OU and 3 as well. I'm technically only using one GPO per
Workstation# OU, but I'd be linking it approximately 200 times. What are the
negative of linking? I don't think this will be a traffic generator, since
all workstations would have to go to the SYSVOL folder anyway for their GPO.
I really can't think of any negatives other than the initial setup. Also if
I do it like the latter structure, that allows me to be able to go to each
Workstation# OU and add another GPO to it specifically if necessary and not
affect all 8000 machines. Too, I can make a change to the master
Workstation# OU if necessary to affect all the machines it's linked to.
Another thought is that I can apply one GPO at the "Root Dept OU" that would
encompass many thousands of users at one time and then add GPOs, if necessary
to the child Dept OUs.
Any thoughts about this? Are there problems of GPOs getting out of sync if
I link them? This will only be in one domain.
Thanks
- Next message: Jims: "Re: ADAM Bind attribute question"
- Previous message: Allen Firouz: "RE: hide/remove locations in save as and open"
- Next in thread: Chriss3 [MVP]: "Re: Linking GPOs to different OUs within the same domain"
- Reply: Chriss3 [MVP]: "Re: Linking GPOs to different OUs within the same domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
