Announcement

Collapse
No announcement yet.

GPO question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO question

    I was thinking which is the best way when planning gpo structure.

    Let's say I have OU named "Company X" and under that OU I have three OU's that are "Marketing Computers", "Sales Computers" and "Production Computers". I want to apply GPO "Disable Windows AutoRun" to all of these computers. Do I link the GPO "Disable Computers Autorun" to OU "Company X" or do I link this GPO to all of these OU's separately?

  • #2
    Re: GPO question

    You can link it to the Company X OU and as long as none of the child OU's have inheritance blocked it will apply to all of the computers in the child OU's.

    Comment


    • #3
      Re: GPO question

      Originally posted by joeqwerty View Post
      You can link it to the Company X OU and as long as none of the child OU's have inheritance blocked it will apply to all of the computers in the child OU's.
      Yes I know what I can do but I was asking what is the good way to do it.

      Linking it to the top level OU or link it separately to sub leve OU's. Does this affect anything to gpo performance? Let's say we have 50 OU's and this particular GPO is linked to 20 OU's under the top level OU. I would say that the best way is to link it to only top level OU..

      Comment


      • #4
        Re: GPO question

        This is worth a review.

        http://technet.microsoft.com/en-us/l...68(WS.10).aspx

        There are numerous ways of applying GPOs. It often depends on the requirements and who will actually be managing the GPOs, OUs and so on.

        I tend to apply the GPO as high as possible, so in your case, to the one OU. I have not known this to cause a performance issue as oppose to applying to each OU.

        Some consultants will apply all GPOs at the domain level and then apply security filtering to ensure they apply to the relevant user and computer objects.

        This is just a brief explanation as is moving away from your original question.

        Comment


        • #5
          Re: GPO question

          AFAIK MS best practice (as taught in all the AD training, anyway) is to apply the GPO as high up as possible, then use block inheritance where required lower down
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X