Re: ADUC & SBS groups

I understand about the OU containers and the implementation of policies now.
Thank you.

Let me see if I can explain a little better about what I experienced with AD.

I was taking one of the predefined groups "Domain Users" and trying to add
it to the local administrators group on the workstation (I was experimenting
and I realize in a real life scenario this is POOR security management!).

The Location was set to the workstation name and I was unable to change it
even though I was logged onto the domain. Since I couldn't change it (I wish
there was a browse button there) I tried typing the following in Object
Types: DomainName\Domain Users but it wouldn't resolve.

I'm questioning whether the workstation was truly joined to the domain even
though I was logging onto it (at least it appeared that I was).

MyBusiness and SBSComputers are both OUs. That means that a policy applied
at MyBusiness will effect anything located anywhere under that, while one
applied at SBSComputers will only apply to items contained in the
SBSComputers OU. The easiest way to tell an OU from a container is that the
icons are different - when you look at them in the Group Policy Management
Console, the containers look just like regular folders, while the OUs have a
fancier icon.

I'm not sure what you're referring to about wanting to add domain groups to
the workstation, and I agree that you should be able to perform normal
functions as long as the workstation belongs to the domain, regardless of
where it's located. Can you give a fuller description of what you're trying
to do? (If you're trying to do something like add a security group to an
ACL, please make sure that in the box that pops up to add it, the Object
Types includes users and groups, and the Locations is set to your domain
rather than the local PC).

You can move items around in AD just by r-clicking them and choosing Move.
If you're experimenting or testing on anything in AD or group policy, I
recommend taking written notes for undo purposes in case you get unexpected
results. (I've blown up enough stuff to have learned this pretty well).


"Brian Elkins" <BrianElkins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D62D678A-A934-4EB7-9FD8-71578EAD6DF1@xxxxxxxxxxxxxxxx
Dave,

Thank you for the quick reply.

When you say the latter is an OU, "\MyBusiness\SBSComputers" is the OU,
correct?

Also, when I was experimenting the other day I placed the workstation name
in "ADUC\DomainName.Local\Computers" without knowing better. I was able
to
join the workstation to the domain yet I was unable to add any Domain
groups
to the workstation.

I'm a bit confused on that point. If I was able to join the domain it
seems
as if I should have been able to add Domain groups.

Brian


The former is an Active Directory container, while the latter is an OU
(Organizational Unit). You can't apply group policies to a container, so
only domain-wide policies will apply to computers located in
domain\computers.

Also, the Add Computer wizard in SBS places the computers in the latter
location (the OU). I recommend only adding computers with that wizard,
not
directly in AD. And, in the absence of a reason to move them, I'd leave
them where SBS expects them to be. If you do have a reason to move
them -
say, to separate desktops from laptops - I recommend creating another OU
under MyBusiness\Computers. Let SBS create them as and where it prefers,
then go into AD Users and Computers afterward and move them to the other
OU.

FWIW, I leave all the computers in that OU, and if I need to apply group
policies more granularly, I do it with security filtering. Others do it
the
other way - multiple OUs - which is equally valid.

"Brian Elkins" <BrianElkins@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:351E5955-6E50-4C1B-9721-58FA561B92AC@xxxxxxxxxxxxxxxx
Can someone please explain to me what is the difference between placing
a
workstation in:

"ADUC\DomainName.Local\Computers"

vs.

"ADUC\DomainName.Local\MyBusiness\SBSComputers"

Thank you for any help.

Brian Elkins






.