Re: Domain Security policy

From: DD <DD@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 4 Mar 2009 01:28:01 -0800

The group policy does'nt apply to the user pc even thought i logoff and login
user pc,
it only apply next day when user login again. why it take so long to apply ?
any command to force it update immediately when u logoff and login again.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

In news:78CF92CC-204A-4C13-B1E6-A50634B05DB4@xxxxxxxxxxxxx,
DD <DD@xxxxxxxxxxxxxxxxxxxxxxxxx>, posted the following:

i onlu have one default policy for the domain, how to create
addtional domain policy ,also want to create different dept have
different group policy. i am new in windows server, can yu provide me
some usefully link .

"DD" wrote:

I made changes on the domain policy , but it does not apply to user
pc when they login.

eg , i allowed change the system time for a specific user. when i
login to the user pc, from the local policy, chnage the system time,
only show administrator can change not the specific user.

Hi DD,

It's suggested and recommended to not change the Default Domain Policy.
Keep in mind, whatever you set at the domain level, flows downhill to
everything. I would suggest to design your OU structure to reflect your
organizaiton and/or departments, which will also help you create GPOs for
the OU design.

For example, for a company with more than one location/site, I would suggest
the following:

Domain
......Philly OU
...............Accounting
...............Sales
...............Marketing
...............Desktop
...............Users
...............Laptops
......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
...............Users
...............Laptops

I separated Laptops and Desktops because I have two different Windows Update
GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas
the Laptop Updates run at 3:30 PM while the users have the laptops in the
office. This design also allows me to create GPOs for the different offices,
or I can create one and link them to both offices. The design possibilities
are endless, especially if you control flow with Block Inheritance,
Loopback, WMI filtering, disabling the Computer or User portion of a GPO,
etc, however in many cases I do not use these features because trying to
support them 8 months later when there's a problem it is difficult to
remember what you had blocked, etc. Yes youcan use RSOP to look at what is
being applied, etc, but I find it easier to simply create another OU or a
child OU to have a different setting than the parent, such as the following,
where I created a GPO to lock the desktop with two different time settings.
The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout
OU directly beneath it. Because the identical setting isdifferent on the
child, it overrides the parent's setting. I can simply "look" at my OUs and
know what I have applied.

......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
.....................15 Minute Timeout
...............Users
...............Laptops

These are just suggestions, and you may find that it may work for you, or
not. Even in a single site, I still do it this way, because it is flexible.
You never know when the customer or your company may expand. If they do,
simply create another OU for the new location.

Here's a basic visual of how GPOs work, and how it would flow downhill.
http://www.fekay.com/supportblogs/gpoflow.jpg

Win2k3 AD OU/GPO Design Discussion
http://www.tomshardware.com/forum/190896-46-win2k3-design-discussion

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Follow-Ups:
- Re: Domain Security policy
  - From: Ace Fekay [Microsoft Certified Trainer]

References:
- Domain Security policy
  - From: DD
- RE: Domain Security policy
  - From: DD
- Re: Domain Security policy
  - From: Ace Fekay [Microsoft Certified Trainer]

Prev by Date: Re: LDAP Query for memeber of one group
Next by Date: Re: Event ID 13508
Previous by thread: Re: Domain Security policy
Next by thread: Re: Domain Security policy
Index(es):
- Date
- Thread

Relevant Pages

Re: GROUP POLICY
... are we able to check which policy actually apply to the user pc ?just want ... Group Policy Objects (GPOs) Design Considerations and Guidelines ...
(microsoft.public.windows.server.active_directory)
Re: GROUP POLICY
... under the applied group policy objetcss it show ... Group Policy Objects (GPOs) Design Considerations and Guidelines ...
(microsoft.public.windows.server.active_directory)
Re: At this point, Im wondering if GPOs even work?
... what is set in a policy does not bubble up into the user interface. ... Pop-up Blocker" box on one and checked it on the other. ... ensured no GPOs nor local policy were superseding my Test GPO ... Config (so why do these settings even exist in Computer Config if they ...
(microsoft.public.windows.group_policy)
Re: Group Policy Loopback Not Applying
... policy is applied to is set to block policy inheritance from the parent OU. ... "The following GPOs were not applied because they were filtered out". ... another computer into that OU and found the loopback policy worked as ... figured I would run sysprep again. ...
(microsoft.public.windows.server.active_directory)
Re: Group Policy Loopback Not Applying
... policy is applied to is set to block policy inheritance from the parent OU. ... "The following GPOs were not applied because they were filtered out". ... another computer into that OU and found the loopback policy worked as ... figured I would run sysprep again. ...
(microsoft.public.windows.server.active_directory)