Re: Group policy to apply only to some workstations

KJ,

I want to lock down the desktops of the workstations in the factory but not
the ones in the front office. The client needs to stop Internet browsing and
has not ponied up for a real firewall yet (they are currently reviewing my
recommendation for a WatchGuard unit).

Yes, another round would be nice!

Gregg Hill





"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:u6CZ5$PpIHA.1420@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill wrote:
I suppose the word "Duh" is in order for me here. I just went into
the GPMC and clicked on SBSComputers, and there are no GPOs linked.

Well, crap, I thought I had it, but when I look at the "Group Policy
Inheritance" tab under SBSComputers, it shows a bunch of linked GPOs.
Hey, wait! No matter where I create an OU, those same GPOs are there
(again, DUH) because of the domain-level inheritance you mentioned.

I need to back away from the computer and get some sleep (or booze,
drugs, SOMETHING!).

I guess the next question would be "Why do the computers even need to
be under SBSComputers?"

Thank you for the help!

Gregg Hill

So maybe I misunderstood. Are you trying to apply some special policy
settting to only select computers or block some standard SBS (domain GPO)
settings from applying to select computers?

I've installed SBS into existing domains and not been forced to move the
existing workstations into SBScomputers. Usually I eventually did so to
tidy things up and make it appear as SBS standard as possible.

I've also had some that reatined some existing OU structure by purpose. In
those cases I did not have issue with anything OU structure / group policy
wise. Security groups were more often at issue though.

Domain Controllers should be in the domain controllers OU and do have
special (SBS and Default Domain) policy linked there. Otherwise, I know of
no *requirement* from a GPO perspective for workstations to remain where
the wizards create the computer objects. Still, I'd leave them there and
work any policy needs around the existing structure.

Does that help, or should I order another round of shots? <g>






"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:eWzOXkMpIHA.4716@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill wrote:
Lanwench,

Is it safe to assume that moving computers out of SBSComputers and
into a new OU under MyBusiness > Computers will not cause them to
lose any settings? The reason I was looking at putting it under
SBSComputers is because I thought that the SBSComputers OU had
specific settings that I needed to keep. I thought that keeping it
under SBSComputers would make all those settings apply, and add only
what I make in the new GPO.
I do not understand group policy very much, so I will do as you
suggested, of course!

Gregg Hill


SBS (default) Group Policies are Domain and Domain Controler OU level
linked.

The wizards create the objects in those OUs. I usually create a
child OU under the SBS default ones where special policies need to
be applied for a machine or user subset when I choose not to use
security filters.





"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OIRScTKpIHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill <bogus@xxxxxxxxxxx> wrote:
Hello!

I want to create a group policy to lock down a client's computers
in the factory, but not the ones in the office. I have a
lock-down GPO for terminal servers that works perfectly, but it
is in an OU outside of the normal SBS OU structure, i.e., it is
directly under the office.lan domain in ADUC.
I want all normal SBS GPO settings for "SBSComputers" to apply to
these workstations, and add the restricted GPO settings. I am
thinking that I can create a sub-container(?)

An OU (not a sub-anything)

such as "MyBusiness >
Computers > SBSComputers > Restricted Computers" and move the
desired computers to that sub-container.

Put it under MyBusiness\Computers, not under SBSComputers.

Note that any computer (not user) specific GPO settings applied at
a higher level (e.g., the domain or MyBusiness or Computers will be
applied. Remember to always create your own GPOs - don't edit the
defaults -
and be very careful with what you do. You may want to implement
loopback processing in the Restricted Computers GPO. Test first!

Am I even close to being on the right track? If not, would someone
be so kind as to throw the switch for me?

Thank you!

Gregg Hill

--
/kj

--
/kj



.

Relevant Pages

  • Re: Group policy to apply only to some workstations
    ... Gregg Hill wrote: ... the GPMC and clicked on SBSComputers, and there are no GPOs linked. ... I guess the next question would be "Why do the computers even need ... GPO) settings from applying to select computers? ...
    (microsoft.public.windows.server.sbs)
  • Re: Group policy to apply only to some workstations
    ... Inheritance" tab under SBSComputers, it shows a bunch of linked GPOs. ... I guess the next question would be "Why do the computers even need to be ... I have a lock-down GPO ... I want all normal SBS GPO settings for "SBSComputers" to apply to ...
    (microsoft.public.windows.server.sbs)
  • Re: Group policy to apply only to some workstations
    ... Inheritance" tab under SBSComputers, it shows a bunch of linked GPOs. ... settting to only select computers or block some standard SBS (domain GPO) ...
    (microsoft.public.windows.server.sbs)
  • Re: MY_OWN_POLICY GP doesnt apply
    ... that my GPO for PW policies linked to OU won't work? ... suggest that you not modify any of the built-in policies in SBS. ... I try to implemet stronger pw policies for domain computers. ...
    (microsoft.public.windows.server.sbs)
  • Re: Group policy to apply only to some workstations
    ... into a new OU under MyBusiness> Computers will not cause them to ... SBSComputers is because I thought that the SBSComputers OU had ... I have a lock-down GPO ... I want all normal SBS GPO settings for "SBSComputers" to apply to ...
    (microsoft.public.windows.server.sbs)