Announcement

Collapse
No announcement yet.

Multiple Unique Policies

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Unique Policies

    It is my understanding that the best way to organize group policy is to apply it to an OU. If a user can only be in one OU and you have a users or groups that require several unique policies how can you apply them? Can you create OUs for the sole purpose of creating and applying policies without adding the user to the OU and then just apply the OU policy to the specific user or group regardless of the OU they reside in? If that is the case Would the policies applied be cumlative?

    Any help understanding this would be greatly appreciated.

    Many thanks in advance.

  • #2
    Re: Multiple Unique Policies

    Hi,

    You can apply Group policies to Computer Objects and User objects and also use security filtering to apply to specified Groups only.
    A GPO has two section Computer and User configuration settings. Any configuration on the first section will only apply to computer objects within the OU where the GPO is linked and the same applies for the User configuration part (Unless of course you use loopback processing mode, which I am not going into right now).

    Have a look at this brief article for more info on GPOs: - http://www.nhboston.com/LinkClick.as...=1687&mid=2851

    Cheers
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Multiple Unique Policies

      A GPO will apply to everything in the OU to which it is linked. If you have a parent OU and two child OUs inside it, then a GPO linked to the parent will apply to both children. If you link a GPO to child1, it will not affect child2 or any other OUs or objects in the parent.

      In addition to linking a GPO to an OU, you can also filter it with security groups and WMI filters.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: Multiple Unique Policies

        Thanks for the quick replys. Can the OU be empty and add just groups in the user configuration settings or would you just create a group in the policy OU and add users from other OUs to the group?

        Thanks again.

        Comment


        • #5
          Re: Multiple Unique Policies

          If you need to create a lot of such GPO's then maybe it's time to redesign AD.
          It's not a best practice to use a lot of GPO filtering by security groups or by WMI filters.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Multiple Unique Policies

            Originally posted by windows_help View Post
            Can the OU be empty and add just groups in the user configuration settings
            No. As I said, a GPO linked to an OU will only apply to objects which are descendants of that OU, regardless of any other filtering you apply.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment

            Working...
            X