Re: Removing One Server from Group Policy
- From: "Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 11 Jun 2005 23:53:36 -0700
Can someone explain the difference between these three cases,
where there is an OU under the root named Servers and an OU under
that named "Proxy Servers". Assume for the moment that Servers
has its own group policy and that Proxy Servers has its own as
well.
Case 1: List All Policies for Proxy Server. In this case the
Group Policy list for Proxy Servers reads:
Proxy Server Group Policy
Server Group Policy
Default Domain Policy
As I understand this case, I only need to change the specific
items in Proxy Server Policy that make it different from Servers.
I do NOT need to restate the entire policy in the Proxy Server
Group Policy. Is it right?
Case 2: List Only New Group Policy. In this case the Group
Policy list for Proxy Servers reads:
Proxy Server Group Policy
What I am not clear on in this case is how are the parent
policies being applied? What is the difference between Case 2
and Case 1 in terms of what gets applied and in what priority?
Case 3: Block Inheritance. In this case the Group Policy list
for Proxy Servers reads:
Proxy Server Group Policy
and Block Inheritance checkbox is selected. In this case I
guess the entire policy must be entered into Proxy Server Group
Policy, and nothing from any parent inherits.
It seems to me like Case 1 is less work than Case 3. I would
prefer Case 2 if I could be sure that the inheritance won't take
precedence over the one policy I list, simply because then I
don't need to maintain the parent relationships inside of the
child object.
--
Will
Internet: westes at earthbroadcast.com
"Glenn LeCheminant" <the.only(delete)@gmail dot com> wrote in
message news:%23pEvqGsbFHA.3040@xxxxxxxxxxxxxxxxxxxxxxx
> You have 2 options.
> Assuming you do not use the 'No Override' (aka enforce) feature
on existing
> GPOs........
> Create a special OU just for this server, then marking the OU
for block
> inheritance.
>
> The other way is to add an ACL on every GPO that would normally
apply to
> this server, and set the 'deny' 'apply group policy' ACE.
>
> The first way is less work over the long term, but depends on
you not using
> the 'no override' feature.
> If you use or will ever use the 'no override' feature, then you
will hve to
> use the deny ACE method.
>
>
> --
> Glenn LeCheminant
> CCNA, MCSE 2000/2003 + Security
>
> "Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx> wrote in message
> news:evTvC9qbFHA.2128@xxxxxxxxxxxxxxxxxxxxxxx
> > What is the recommended way to remove a single Windows 2000
> > server from Group Policy? Are we required to set up a
unique
> > OU for this one server, and create a special group policy
just
> > for that one server? Or is there a way to simply manually
> > disconnect the server from all GP updates and then use its
local
> > security policy application to configure security settings?
> >
> > --
> > Will
> > Internet: westes at earthbroadcast.com
> >
> >
>
>
.
- Follow-Ups:
- Re: Removing One Server from Group Policy
- From: Glenn LeCheminant
- Re: Removing One Server from Group Policy
- References:
- Removing One Server from Group Policy
- From: Will
- Re: Removing One Server from Group Policy
- From: Glenn LeCheminant
- Removing One Server from Group Policy
- Prev by Date: RE: Group Policy
- Next by Date: Re: SID security folder permissions for deleted AD user
- Previous by thread: Re: Removing One Server from Group Policy
- Next by thread: Re: Removing One Server from Group Policy
- Index(es):
Relevant Pages
|
