Re: Aftermath of RDIRCMP.EXE?

There is a group of machines that need to be on the domain that have all the
policies set through dozens of unique local policies and they want to be
abslutely sure none of thse local policies are changed by a domain group
policy.
So, they want every domain based group policy to be blocked for this group
of machines. They don't want us to make changes to the default domain policy
or attempt to make domain polices to match the local polices. They just want
assurance that none of the preconfigured policies are changed on this group
of special machines.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

In news:5D1D4085-E17F-4839-82FC-6D39BD9B6F17@xxxxxxxxxxxxx,
Mygposts <Mygposts@xxxxxxxxxxxxxxxxxxxxxxxxx>, posted the following:
We are going to try creating a new OU, putting the machines in there,
blocking inheritance and adding the machines accounts to a security
group with Deny Read and Deny Apply Group Policy permissions on the
Default Domain Policy.
Should that work?


Why not just make the Default Domain Policy back to default, which wiill
eliminate any possibility that anything you change in there will affect the
domain adversely. Then create the OU, and as Jorge suggested, link the GPO
you previously created, or if you haven't created one, create one with the
necessary settings. This way the Default Domain Policy will apply to all
with its default settings, and the GPO you created at the OU will apply to
the machines in the OU.

I'm not sure what settings you want to configure, but if there are any that
conflict with the Default Domain Policy, which I kind of doubt, unless you
are changing security settings, the child will override them anyway.

Also, just an FYI, there was another thread recently posted with a similar
question, including an OU/GPO design question. Here was my reply. I hope it
sheds some light on the method I am suggesting, which basically is based on
Microsoft Best Practices. These suggestions actually are a variation of the
AD Microsoft couresware, GPO section.

====================
It's suggested and recommended to not change the Default Domain Policy.
Keep in mind, whatever you set at the domain level, flows downhill to
everything. I would suggest to design your OU structure to reflect your
organizaiton and/or departments, which will also help you create GPOs for
the OU design.

For example, for a company with more than one location/site, I would suggest
the following:

Domain
......Philly OU
...............Accounting
...............Sales
...............Marketing
...............Desktop
...............Users
...............Laptops
......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
...............Users
...............Laptops

I separated Laptops and Desktops because I have two different Windows Update
GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas
the Laptop Updates run at 3:30 PM while the users have the laptops in the
office. This design also allows me to create GPOs for the different offices,
or I can create one and link them to both offices. The design possibilities
are endless, especially if you control flow with Block Inheritance,
Loopback, WMI filtering, disabling the Computer or User portion of a GPO,
etc, however in many cases I do not use these features because trying to
support them 8 months later when there's a problem it is difficult to
remember what you had blocked, etc. Yes youcan use RSOP to look at what is
being applied, etc, but I find it easier to simply create another OU or a
child OU to have a different setting than the parent, such as the following,
where I created a GPO to lock the desktop with two different time settings.
The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout
OU directly beneath it. Because the identical setting isdifferent on the
child, it overrides the parent's setting. I can simply "look" at my OUs and
know what I have applied.

......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
.....................15 Minute Timeout
...............Users
...............Laptops

These are just suggestions, and you may find that it may work for you, or
not. Even in a single site, I still do it this way, because it is flexible.
You never know when the customer or your company may expand. If they do,
simply create another OU for the new location.

Here's a basic visual of how GPOs work, and how it would flow downhill.
http://www.fekay.com/supportblogs/gpoflow.jpg

Win2k3 AD OU/GPO Design Discussion
http://www.tomshardware.com/forum/190896-46-win2k3-design-discussion
==========================


Ace





.