Dave Nickason [SBS MVP]
Guest
|
 Posted:
Wed Nov 09, 2005 1:50 am Post subject:
Re: Group Policies |
|
|
Group policies can be applied domain-wide, including with the Default Domain
Policy. Or, they can be applied to specific Organizational Units.
Organizational units can contain computers, users, or both, but typically
you would not want to mix users and computers in one OU.
In the absence of a reason to the contrary, I'd apply security settings
domain-wide. In your original question you say the policy locks all of the
computers in the domain. Does that mean that it applied settings
domain-wide that you only wanted to apply to certain computers, or does it
mean that you got an unexpected result? There's no reason to move the
computers or users between OUs unless you're trying to apply the settings
more granularly than domain-wide. Especially for security stuff, I usually
apply that to computers rather than to users.
As far as going down blazing, I'd make the following recommendations:
Be careful moving objects between OUs while they're in use. In particular,
I've had some unpleasant results moving users while they're logged in.
Don't edit existing policies, create new ones for specific purposes. For
example, MS Office Settings Policy, Webb's Domain Security Policy, etc.
That way, if you really trash something, you can just kill the whole policy
quickly and start from scratch, rather than trying to figure out how to
solve a problem that's trashing a bunch of users.
Document all of your changes in writing for "undo" purposes. There's
nothing quite like a policy that kills something you need to work, and
having no idea what policy did it. On a related note, try rolling out one
or a few policies at a time. If you're planning to make a large number of
changes, doing it slowly will simplify recovery from unintended results.
Set up a test OU and try policies out on your own user account or
workstation before imposing them on the whole organization. Learn how to
use Resultant Set of Policy to see the results of your policies. See this
article (it references WS03 but the procedure is the same on your XP
desktop). http://support.microsoft.com/default.aspx?scid=kb;en-us;312321
"webb" <webuser@theweb.com> wrote in message
news:ONr0cbK5FHA.2524@TK2MSFTNGP10.phx.gbl...
| Quote: | Thanks for your reply MoiToo.
Let's see if understand what you said.
Create another Organization Unit.
Move all users to this OU
Create another GPO for the users in the OU and i should be fine.
Has anyone done this that could guide me so i don't hose a live server
down.
Is there a guide somewhere i could peruse before i go down blazing??
Thank you
The Dude
"" <newsgroups@dodo.com.au> wrote in message
news:uEqQ0VE5FHA.1140@tk2msftngp13.phx.gbl...
Create another OU and put all computers in that OU. Place a policy on
that
OU. This will apply to everyone on these machines (admins included).
The better way is to put all users in an OU, place a GPO with user
settings
on this OU. Then, when you log on as admin you still have full control.
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in