Re: Creating a new GPO in sbs2003.
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 21 Jun 2007 14:23:58 -0400
Cool - a great book.
Your comment about breaking something reminded me of my two best pieces of
group policy advice. 1. Create separate GPOs for separate purposes, and
name them appropriately. For example, I have a policy named "Office 2003
Settings" and another called "Office 2007 Settings." This facilitates just
disabling an individual GPO if you run into unintended results - you don't
want to put your Office settings in your Default Domain Policy, then have to
disable that when something goes toes up. And 2, document all changes in
writing. You don't want to be sitting there trying to remember what you
changed when you notice some bad result a week after you edited the policy.
And a bonus tip: Resultant Set of Policy. You can check this out for
yourself on a workstation. Start -> Run -> rsop.msc. A great tool for
figuring out the actual effect of your policies, or finding where some weird
setting came from.
"BrianMultiLanguage" <BrianMultiLanguage@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:5A6D7539-607F-4873-9C54-D3B625AAED39@xxxxxxxxxxxxxxxx
OK I'll go at it.
Maybe I can break something.
I bought Harry Brelford's ADVANCED WINDOWS SBS2003 BEST PRACTICES also.
"Dave Nickason [SBS MVP]" wrote:
In the Group Policy Management Console, I recommend right-clicking Group
Policy Objects -> New. That way, you're creating a GPO that is not
linked
to any OUs. Once you're finished with all the settings, you can link the
new GPO to any OU you wish by r-clicking the OU -> Link an existing GPO
here.
You can also start by r-clicking the OU and clicking Create and link a
GPO
here.
Once you've created the GPO, you can filter it so that it only applies to
certain users or computers by putting those users or computers in a
security
group. Add the security group in the right pane under Security
Filtering,
and remove the default Authenticated Users security group (which applies
to
all users and computers).
Or, you can just create an OU containing whatever users or computers you
want the policy to apply to, and simply link the GPO there without
filtering
(leave Authenticated Users as it is). If the GPO is linked only to a
specific OU (or more than one), it will only apply to items in that OU.
Remember that for computer policies to apply, the OU or security group
has
to contain computers. For user policies to apply, they have to contain
users. And, remember to test everything before considering the job done.
"BrianMultiLanguage" <BrianMultiLanguage@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
message news:FEA4B3D7-031B-4363-A7A4-9FFC88AAF51D@xxxxxxxxxxxxxxxx
So in the forest, domain.Local,
there is several gpo's listed then under that is
the DC then under that is
MyBusiness then under that is
GPO with policies in that.
Where does a new GPO get created? Does it matter? A new OU?
I am created a restrictive w/s policy to apply to certain users but not
all.
Thank you
.
- References:
- Re: Creating a new GPO in sbs2003.
- From: Dave Nickason [SBS MVP]
- Re: Creating a new GPO in sbs2003.
- Prev by Date: Re: Troubleshoot Failing Clients Internet Connection
- Next by Date: Re: What works well for archived messages
- Previous by thread: Re: Creating a new GPO in sbs2003.
- Next by thread: Re: Help - Lost Transition Pack CD
- Index(es):
Relevant Pages
|
