Re: GPO Security Filtering VS OU Specific GPOs
- From: "James Risto" <jristo@xxxxxxxxxx>
- Date: Mon, 24 Oct 2005 22:09:05 -0400
My opinion is you have hit the edge of functionality trying to use AD for
software distribution; you need SMS.
If you can't afford that, then ACL's on GPO's is my bet.
As is said, an object can only be in 1 OU.
JamesR.
"Jim Willson" <JimWillson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1C4143CF-4AA2-4A91-857C-DF329FD9EDDD@xxxxxxxxxxxxxxxx
> Then how would you handle GPO's for software installations, for example?
> You
> certainly can't put a machine in multiple OUs so it gets Office, Acrobat
> Writer, and Pagemaker - so then what?
>
> Our AD structure is very simple at the moment. Looking forward though, I'd
> like to make the best decisions now for future expansion and utilization
> of
> AD. What I'd really like is a MS writeup about best practices for Enforce
> and
> Filtering. To be honest, I've seen the exact opposite advice posted online
> (Windows IT Pro, I think). The advice there was to keep your OU usage
> sparing, but use security filtering/no enfore to apply/not apply GPOs.
>
>
>
> "Wong Tuck Wah" wrote:
>
>> Guidelines from MS are always to minimise the use of Inheritance, Enforce
>> (no
>> overwrite) and Filtering.
>>
>> Extensive use of these methods will make troubleshooting GP problems
>> complicated and time consuming. It is always easier to create a new GPO
>> for
>> specific needs, if possible.
>>
>> In your case, create 2 OUs instead - one for laptop and the other for
>> desktop. Create another 2 GPOs, each for the specific OU. This will make
>> your
>> design lean and manageable.
>>
>> HTH.
>>
.
- Prev by Date: Re: Login over WAN
- Next by Date: Re: ADAM failure with 2003
- Previous by thread: How many ACEs are too many?
- Next by thread: Re: GPO Security Filtering VS OU Specific GPOs
- Index(es):
Relevant Pages
|
