Re: Removing One Server from Group Policy
- From: "Glenn LeCheminant" <the.only(delete)@gmail dot com>
- Date: Sun, 12 Jun 2005 09:56:11 -0700
inline
--
Glenn LeCheminant
CCNA, MCSE 2000/2003 + Security
"Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx> wrote in message
news:%23sJm3txbFHA.584@xxxxxxxxxxxxxxxxxxxxxxx
> Can someone explain the difference between these three cases,
> where there is an OU under the root named Servers and an OU under
> that named "Proxy Servers". Assume for the moment that Servers
> has its own group policy and that Proxy Servers has its own as
> well.
>
>
> Case 1: List All Policies for Proxy Server. In this case the
> Group Policy list for Proxy Servers reads:
>
> Proxy Server Group Policy
> Server Group Policy
> Default Domain Policy
>
> As I understand this case, I only need to change the specific
> items in Proxy Server Policy that make it different from Servers.
> I do NOT need to restate the entire policy in the Proxy Server
> Group Policy. Is it right?
You are correct. The resultant set of applied policy will be the
culmination of all the policies applied to 'proxy servers', 'servers', and
the domain, with the settings in 'proxy server' applied last and therefore
will take precedence over conflicting settings in other policies.
>
>
> Case 2: List Only New Group Policy. In this case the Group
> Policy list for Proxy Servers reads:
>
> Proxy Server Group Policy
>
> What I am not clear on in this case is how are the parent
> policies being applied? What is the difference between Case 2
> and Case 1 in terms of what gets applied and in what priority?
>
GPOS are always applied in the following order.
L local
S Site
D domain
OU organizational unit.
sub OU
Your linking Servers group policy and default domain group policy to the
proxy servers OU will not change what policies are applied.
The processing will always follow the order I layed out. Exception to this
rule is the use of 'no override'
In your specific example (case 1), the servers GPO is also linked to the
Servers OU, and the default domain policy is also linked to the domain.
Therefore the computers in proxy servers OU will apply the servers and the
default domain policies twice, because you also linked the server GPO and
default domain GPO to the proxy server OU.
>
> Case 3: Block Inheritance. In this case the Group Policy list
> for Proxy Servers reads:
>
> Proxy Server Group Policy
>
> and Block Inheritance checkbox is selected. In this case I
> guess the entire policy must be entered into Proxy Server Group
> Policy, and nothing from any parent inherits.
>
Setting block inheritance on the proxy server OU will force these systems to
not apply the policies linked to the servers OU or the domain. Therefore if
those policies have settings you need, then you would need to define them in
the proxy server GPO.
>
> It seems to me like Case 1 is less work than Case 3. I would
> prefer Case 2 if I could be sure that the inheritance won't take
> precedence over the one policy I list, simply because then I
> don't need to maintain the parent relationships inside of the
> child object.
>
Case 2 is the preferred way since any settings you define in the proxy
server GPO will take precedence.
This is accomplished because this policy gets applied last.
If you use the no override switch on any other GPOs in the parent OUs, then
it will force those GPOs to be applied last, and therefore take precedence
over the policies defined in the proxy servers OU.
> --
> Will
> Internet: westes at earthbroadcast.com
>
>
>
>
> "Glenn LeCheminant" <the.only(delete)@gmail dot com> wrote in
> message news:%23pEvqGsbFHA.3040@xxxxxxxxxxxxxxxxxxxxxxx
>> You have 2 options.
>> Assuming you do not use the 'No Override' (aka enforce) feature
> on existing
>> GPOs........
>> Create a special OU just for this server, then marking the OU
> for block
>> inheritance.
>>
>> The other way is to add an ACL on every GPO that would normally
> apply to
>> this server, and set the 'deny' 'apply group policy' ACE.
>>
>> The first way is less work over the long term, but depends on
> you not using
>> the 'no override' feature.
>> If you use or will ever use the 'no override' feature, then you
> will hve to
>> use the deny ACE method.
>>
>>
>> --
>> Glenn LeCheminant
>> CCNA, MCSE 2000/2003 + Security
>>
>> "Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx> wrote in message
>> news:evTvC9qbFHA.2128@xxxxxxxxxxxxxxxxxxxxxxx
>> > What is the recommended way to remove a single Windows 2000
>> > server from Group Policy? Are we required to set up a
> unique
>> > OU for this one server, and create a special group policy
> just
>> > for that one server? Or is there a way to simply manually
>> > disconnect the server from all GP updates and then use its
> local
>> > security policy application to configure security settings?
>> >
>> > --
>> > Will
>> > Internet: westes at earthbroadcast.com
>> >
>> >
>>
>>
>
>
.
- Follow-Ups:
- Re: Removing One Server from Group Policy
- From: Will
- Re: Removing One Server from Group Policy
- References:
- Removing One Server from Group Policy
- From: Will
- Re: Removing One Server from Group Policy
- From: Glenn LeCheminant
- Re: Removing One Server from Group Policy
- From: Will
- Removing One Server from Group Policy
- Prev by Date: Assigning rights to a share
- Next by Date: Re: Log file!
- Previous by thread: Re: Removing One Server from Group Policy
- Next by thread: Re: Removing One Server from Group Policy
- Index(es):
Relevant Pages
|
Loading
