Announcement

Collapse
No announcement yet.

GPO newbie, some questions.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO newbie, some questions.

    Post - GPOs Newbie

    So I just started with Group Policy. Iíve enabled a company wide policy, which I applied to the Default Domain Policy GPO.
    Itís pretty basic stuff, a company wallpaper, company screensaver, some IE and Start Menu configurations, Windows Update interval and options, etc.
    The screensaver and wallpaper setting were a bit tricky. I used a batch file at logon to copy the .scr from the server into the System32 directory, otherwise it wouldnít work with the UNC path. For the wallpaper, I didnít want to use Active Desktop, so instead I used a batch file to import a reg key into the Registry key ďHKEY_CURRENT_USER\Control Panel\DesktopĒ and set the wallpaper bitmap.

    Users cannot change the wallpaper or the screensaver.
    However, Iíve noticed that even if I log in as an administrator, I canít either. Iím also locked from making changes. So my question is, how can I exclude domain admins from the Default Domain Policy? Or am I doing something wrong to begin with?

    Another inquiry is this. I have a few problem users who spent too much time on Windows Live Messenger and some other crap I donít like. Some of them need to be local admin because of some idiotic business applications we have to run, which wonít run otherwise. So I was planning on creating an user group in AD called ďProblem UsersĒ. I would add those users (just 8 or 10) to that group. Then, Iíd create a GPO for that user group alone, and apply all the restrictions there. I believe that will keep the domain admins out, right? Even if the user is a local admin, the GPO should override their privileges, am I correct?

    Iíve been reading a lot aboutG Group Policy lately, but I appreciate all the help I can get.

    Thanks!

  • #2
    Re: GPO newbie, some questions.

    The thing that will solve your issue is GPO filtering.
    http://technet.microsoft.com/en-us/l...91(WS.10).aspx

    But it looks that you'll have to take a look at your AD OU structure. I would not set the wallpaper GPO in the default domain GPO.

    bio..

    Comment


    • #3
      Re: GPO newbie, some questions.

      Originally posted by ekG View Post
      So my question is, how can I exclude domain admins from the Default Domain Policy? Or am I doing something wrong to begin with?

      Another inquiry is this. I have a few problem users who spent too much time on Windows Live Messenger and some other crap I don’t like. Some of them need to be local admin because of some idiotic business applications we have to run, which won’t run otherwise. So I was planning on creating an user group in AD called “Problem Users”. I would add those users (just 8 or 10) to that group. Then, I’d create a GPO for that user group alone, and apply all the restrictions there. I believe that will keep the domain admins out, right? Even if the user is a local admin, the GPO should override their privileges, am I correct?
      ekG, do not try to add to much of that kind of policies to the Default Domain Policy (to minimize risks of something bad happens with this important gpo) it is better to create new GPO(s) and link these at the domain level. Or, much better is creating OU structures for the company users and OUs for client computers - then create and link new GPOs at OU level.


      Group Policy settings are processed in the following order:
      (http://technet.microsoft.com/en-us/l...90(WS.10).aspx)
      1. Local Group Policy object
        Each computer has exactly one Group Policy object that is stored locally.

      2. Site
        Any Group Policy objects that have been linked to the site are processed next. Processing is synchronous and in an order that is specified by the administrator.

      3. Domain
        Processing of multiple domain-linked Group Policy objects is synchronous and in an order specified by the administrator.

      4. Organizational units
        Group Policy objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy objects that are linked to its child organizational unit, and so on. Finally, the Group Policy objects that are linked to the organizational unit that contains the user or computer are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy objects can be linked.

        If several Group Policy objects are linked to one organizational unit, their processing is synchronous and in an order that can be specified by editing the "Link order" of the GPOs that are linked to this OU.
      This order means that the local Group Policy object is processed first, and Group Policy objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy objects.


      \Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment

      Working...
      X