Re: Group policy to apply only to some workstations
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Apr 2008 07:46:17 -0400
Gregg Hill <bogus@xxxxxxxxxxx> wrote:
KJ,I'd use a separate OU and set up a loopback-enabled group policy with a
I want to lock down the desktops of the workstations in the factory
but not the ones in the front office. The client needs to stop
Internet browsing and has not ponied up for a real firewall yet (they
are currently reviewing my recommendation for a WatchGuard unit).
Yes, another round would be nice!
Gregg Hill
bogus proxy server.
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:u6CZ5$PpIHA.1420@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill wrote:
I suppose the word "Duh" is in order for me here. I just went into
the GPMC and clicked on SBSComputers, and there are no GPOs linked.
Well, crap, I thought I had it, but when I look at the "Group Policy
Inheritance" tab under SBSComputers, it shows a bunch of linked
GPOs. Hey, wait! No matter where I create an OU, those same GPOs
are there (again, DUH) because of the domain-level inheritance you
mentioned. I need to back away from the computer and get some sleep (or
booze,
drugs, SOMETHING!).
I guess the next question would be "Why do the computers even need
to be under SBSComputers?"
Thank you for the help!
Gregg Hill
So maybe I misunderstood. Are you trying to apply some special policy
settting to only select computers or block some standard SBS (domain
GPO) settings from applying to select computers?
I've installed SBS into existing domains and not been forced to move
the existing workstations into SBScomputers. Usually I eventually
did so to tidy things up and make it appear as SBS standard as
possible. I've also had some that reatined some existing OU structure by
purpose. In those cases I did not have issue with anything OU
structure / group policy wise. Security groups were more often at
issue though. Domain Controllers should be in the domain controllers OU
and do have
special (SBS and Default Domain) policy linked there. Otherwise, I
know of no *requirement* from a GPO perspective for workstations to
remain where the wizards create the computer objects. Still, I'd
leave them there and work any policy needs around the existing
structure. Does that help, or should I order another round of shots? <g>
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:eWzOXkMpIHA.4716@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill wrote:
Lanwench,
Is it safe to assume that moving computers out of SBSComputers and
into a new OU under MyBusiness > Computers will not cause them to
lose any settings? The reason I was looking at putting it under
SBSComputers is because I thought that the SBSComputers OU had
specific settings that I needed to keep. I thought that keeping it
under SBSComputers would make all those settings apply, and add
only what I make in the new GPO.
I do not understand group policy very much, so I will do as you
suggested, of course!
Gregg Hill
SBS (default) Group Policies are Domain and Domain Controler OU
level linked.
The wizards create the objects in those OUs. I usually create a
child OU under the SBS default ones where special policies need to
be applied for a machine or user subset when I choose not to use
security filters.
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:OIRScTKpIHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Gregg Hill <bogus@xxxxxxxxxxx> wrote:
Hello!
I want to create a group policy to lock down a client's
computers in the factory, but not the ones in the office. I
have a lock-down GPO for terminal servers that works perfectly,
but it is in an OU outside of the normal SBS OU structure,
i.e., it is directly under the office.lan domain in ADUC.
I want all normal SBS GPO settings for "SBSComputers" to apply
to these workstations, and add the restricted GPO settings. I am
thinking that I can create a sub-container(?)
An OU (not a sub-anything)
such as "MyBusiness >
Computers > SBSComputers > Restricted Computers" and move the
desired computers to that sub-container.
Put it under MyBusiness\Computers, not under SBSComputers.
Note that any computer (not user) specific GPO settings applied
at a higher level (e.g., the domain or MyBusiness or Computers
will be applied. Remember to always create your own GPOs - don't
edit the defaults -
and be very careful with what you do. You may want to implement
loopback processing in the Restricted Computers GPO. Test first!
Am I even close to being on the right track? If not, would
someone be so kind as to throw the switch for me?
Thank you!
Gregg Hill
--
/kj
--
/kj
Sti
.
- References:
- Group policy to apply only to some workstations
- From: Gregg Hill
- Re: Group policy to apply only to some workstations
- From: Lanwench [MVP - Exchange]
- Re: Group policy to apply only to some workstations
- From: Gregg Hill
- Re: Group policy to apply only to some workstations
- From: kj [SBS MVP]
- Re: Group policy to apply only to some workstations
- From: Gregg Hill
- Re: Group policy to apply only to some workstations
- From: kj [SBS MVP]
- Re: Group policy to apply only to some workstations
- From: Gregg Hill
- Group policy to apply only to some workstations
- Prev by Date: Re: Workstation ID
- Next by Date: Re: Remote Web Workplace - Cannot Connect to Server Desktop, but can use outlook web access, timing out or network error, sbs2003.
- Previous by thread: Re: Group policy to apply only to some workstations
- Next by thread: The list of servers for this workgroup is not currently availiable
- Index(es):
Relevant Pages
|
