Good group policy management within an organisation

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi there,

I'm about to start applying Group Policies to our network (1 server and 8
users) as it's currently an open system that's facing a lot of abuse.

However, I'm looking for some ideas on managing this, and in particular, how
I should be arranging the OU's, being just a single small office.

I've thought about having an OU that had global policies, then have three
separate OU's that contained Level 1, 2 and 3 polices of differing degrees
of group policies (low, medium, high). But if I do this, I'm finding that
it's difficult to remember what each Level contains, and it's getting quite
messy.

Are there any websites that show some good practice and organisation for
this?

Thanks for any help, it's appreciated.

Regards,

Stephen
10 answers Last reply
More about good group policy management organisation
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Keep in mind there are two parts to Group Policy - computer and user and that they
    need to reside in the container where the policy is applied. Also for domain users,
    password/account policy can only be applied at the domain level. OU policy that has
    "defined" settings will override the same settings defined at the domain level. If
    there is a setting defined at the domain level and not at the OU level, the setting
    will still apply to a user/computer in the OU in a default installation.

    You may want to consider setting global polices that you want to apply to everyone at
    the domain level and then use your three OU's and name them something appropriate
    that distinguishes each by a role that applies to your office -
    employees/managers/admins etc. or sales/admin/production etc. --- Steve

    http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx

    "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    > Hi there,
    >
    > I'm about to start applying Group Policies to our network (1 server and 8
    > users) as it's currently an open system that's facing a lot of abuse.
    >
    > However, I'm looking for some ideas on managing this, and in particular, how
    > I should be arranging the OU's, being just a single small office.
    >
    > I've thought about having an OU that had global policies, then have three
    > separate OU's that contained Level 1, 2 and 3 polices of differing degrees
    > of group policies (low, medium, high). But if I do this, I'm finding that
    > it's difficult to remember what each Level contains, and it's getting quite
    > messy.
    >
    > Are there any websites that show some good practice and organisation for
    > this?
    >
    > Thanks for any help, it's appreciated.
    >
    > Regards,
    >
    > Stephen
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi

    The following are quite good in terms of guidance (for different purposes):

    http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/grppolsc.mspx

    http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:h1AIc.62169$a24.33684@attbi_s03...
    > Keep in mind there are two parts to Group Policy - computer and user and
    > that they
    > need to reside in the container where the policy is applied. Also for
    > domain users,
    > password/account policy can only be applied at the domain level. OU policy
    > that has
    > "defined" settings will override the same settings defined at the domain
    > level. If
    > there is a setting defined at the domain level and not at the OU level,
    > the setting
    > will still apply to a user/computer in the OU in a default installation.
    >
    > You may want to consider setting global polices that you want to apply to
    > everyone at
    > the domain level and then use your three OU's and name them something
    > appropriate
    > that distinguishes each by a role that applies to your office -
    > employees/managers/admins etc. or sales/admin/production etc. --- Steve
    >
    > http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    > http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    >
    > "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    >> Hi there,
    >>
    >> I'm about to start applying Group Policies to our network (1 server and 8
    >> users) as it's currently an open system that's facing a lot of abuse.
    >>
    >> However, I'm looking for some ideas on managing this, and in particular,
    >> how
    >> I should be arranging the OU's, being just a single small office.
    >>
    >> I've thought about having an OU that had global policies, then have three
    >> separate OU's that contained Level 1, 2 and 3 polices of differing
    >> degrees
    >> of group policies (low, medium, high). But if I do this, I'm finding
    >> that
    >> it's difficult to remember what each Level contains, and it's getting
    >> quite
    >> messy.
    >>
    >> Are there any websites that show some good practice and organisation for
    >> this?
    >>
    >> Thanks for any help, it's appreciated.
    >>
    >> Regards,
    >>
    >> Stephen
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks for the reply and advice Steven. At the moment, I've disabled the
    computer parts of the group policies because I'm only specifying user
    policies, and I read in a book that this helps to speed up the application
    of these policies when the user logs on.

    When I set OU's such as Level 1, 2, & 3, they are basically the same as
    Employees, Managers, Admins; it's just that I'm naming them differently.
    What I'd like to do is to set up a level 1 policy (low restriction), then
    copy this policy to a brand new policy in level 2 - I could then have a
    starting point to go on from, rather than enforce everything I'd done in
    level 1 first, then add my next restrictions in level 2.

    At the moment, my active directory of users and computers is like this:

    mycompany (domain, and contains the unedited default domain policy)
    > MyCompanyPolicies (OU containing my global policies)
    > Level 1 (low restrictions)
    > Level 2 (medium restrictions)
    > Level 3 (high restrictions)

    I assume that I'm on the right track with this (?), but will keep reading
    the links and other resources that I find.

    Thanks,

    Ste


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:h1AIc.62169$a24.33684@attbi_s03...
    | Keep in mind there are two parts to Group Policy - computer and user and
    that they
    | need to reside in the container where the policy is applied. Also for
    domain users,
    | password/account policy can only be applied at the domain level. OU policy
    that has
    | "defined" settings will override the same settings defined at the domain
    level. If
    | there is a setting defined at the domain level and not at the OU level,
    the setting
    | will still apply to a user/computer in the OU in a default installation.
    |
    | You may want to consider setting global polices that you want to apply to
    everyone at
    | the domain level and then use your three OU's and name them something
    appropriate
    | that distinguishes each by a role that applies to your office -
    | employees/managers/admins etc. or sales/admin/production etc. --- Steve
    |
    |
    http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    |
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    |
    | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    | > Hi there,
    | >
    | > I'm about to start applying Group Policies to our network (1 server and
    8
    | > users) as it's currently an open system that's facing a lot of abuse.
    | >
    | > However, I'm looking for some ideas on managing this, and in particular,
    how
    | > I should be arranging the OU's, being just a single small office.
    | >
    | > I've thought about having an OU that had global policies, then have
    three
    | > separate OU's that contained Level 1, 2 and 3 polices of differing
    degrees
    | > of group policies (low, medium, high). But if I do this, I'm finding
    that
    | > it's difficult to remember what each Level contains, and it's getting
    quite
    | > messy.
    | >
    | > Are there any websites that show some good practice and organisation for
    | > this?
    | >
    | > Thanks for any help, it's appreciated.
    | >
    | > Regards,
    | >
    | > Stephen
    | >
    | >
    |
    |
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Sounds like you have a grasp of things. When you create a Group Policy [GPO] you can
    "link" it to more than one container/OU. The highest GPO takes precedence with
    defined settings. You could either create two sub OU's within your level 1 OU and
    simply create the GPO you want for each sub OU and put users into the appropriate OU
    and Group Policy would flow down through the sub OU's. Or you could have three OU's
    and then have the low restriction policy level linked to each OU with additional GPO
    for second level OU and all three GPO's linked the third level OU with high
    restrictions with the OU specific to that OU at the top of the list. --- Steve


    "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    news:2lj0itFcojrcU2@uni-berlin.de...
    > Thanks for the reply and advice Steven. At the moment, I've disabled the
    > computer parts of the group policies because I'm only specifying user
    > policies, and I read in a book that this helps to speed up the application
    > of these policies when the user logs on.
    >
    > When I set OU's such as Level 1, 2, & 3, they are basically the same as
    > Employees, Managers, Admins; it's just that I'm naming them differently.
    > What I'd like to do is to set up a level 1 policy (low restriction), then
    > copy this policy to a brand new policy in level 2 - I could then have a
    > starting point to go on from, rather than enforce everything I'd done in
    > level 1 first, then add my next restrictions in level 2.
    >
    > At the moment, my active directory of users and computers is like this:
    >
    > mycompany (domain, and contains the unedited default domain policy)
    > > MyCompanyPolicies (OU containing my global policies)
    > > Level 1 (low restrictions)
    > > Level 2 (medium restrictions)
    > > Level 3 (high restrictions)
    >
    > I assume that I'm on the right track with this (?), but will keep reading
    > the links and other resources that I find.
    >
    > Thanks,
    >
    > Ste
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:h1AIc.62169$a24.33684@attbi_s03...
    > | Keep in mind there are two parts to Group Policy - computer and user and
    > that they
    > | need to reside in the container where the policy is applied. Also for
    > domain users,
    > | password/account policy can only be applied at the domain level. OU policy
    > that has
    > | "defined" settings will override the same settings defined at the domain
    > level. If
    > | there is a setting defined at the domain level and not at the OU level,
    > the setting
    > | will still apply to a user/computer in the OU in a default installation.
    > |
    > | You may want to consider setting global polices that you want to apply to
    > everyone at
    > | the domain level and then use your three OU's and name them something
    > appropriate
    > | that distinguishes each by a role that applies to your office -
    > | employees/managers/admins etc. or sales/admin/production etc. --- Steve
    > |
    > |
    > http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    > |
    >
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    > |
    > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    > | > Hi there,
    > | >
    > | > I'm about to start applying Group Policies to our network (1 server and
    > 8
    > | > users) as it's currently an open system that's facing a lot of abuse.
    > | >
    > | > However, I'm looking for some ideas on managing this, and in particular,
    > how
    > | > I should be arranging the OU's, being just a single small office.
    > | >
    > | > I've thought about having an OU that had global policies, then have
    > three
    > | > separate OU's that contained Level 1, 2 and 3 polices of differing
    > degrees
    > | > of group policies (low, medium, high). But if I do this, I'm finding
    > that
    > | > it's difficult to remember what each Level contains, and it's getting
    > quite
    > | > messy.
    > | >
    > | > Are there any websites that show some good practice and organisation for
    > | > this?
    > | >
    > | > Thanks for any help, it's appreciated.
    > | >
    > | > Regards,
    > | >
    > | > Stephen
    > | >
    > | >
    > |
    > |
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks for the furthe links Mark, I will check these out.

    Ste


    "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
    news:u9BqeLKaEHA.2488@tk2msftngp13.phx.gbl...
    | Hi
    |
    | The following are quite good in terms of guidance (for different
    purposes):
    |
    |
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/grppolsc.mspx
    |
    |
    http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
    |
    | Kind regards
    | --
    | Mark Renoden [MSFT]
    | Windows Platform Support Team
    | Email: markreno@online.microsoft.com
    |
    | Please note you'll need to strip ".online" from my email address to email
    | me; I'll post a response back to the group.
    |
    | This posting is provided "AS IS" with no warranties, and confers no
    rights.
    |
    | "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    | news:h1AIc.62169$a24.33684@attbi_s03...
    | > Keep in mind there are two parts to Group Policy - computer and user and
    | > that they
    | > need to reside in the container where the policy is applied. Also for
    | > domain users,
    | > password/account policy can only be applied at the domain level. OU
    policy
    | > that has
    | > "defined" settings will override the same settings defined at the domain
    | > level. If
    | > there is a setting defined at the domain level and not at the OU level,
    | > the setting
    | > will still apply to a user/computer in the OU in a default installation.
    | >
    | > You may want to consider setting global polices that you want to apply
    to
    | > everyone at
    | > the domain level and then use your three OU's and name them something
    | > appropriate
    | > that distinguishes each by a role that applies to your office -
    | > employees/managers/admins etc. or sales/admin/production etc. --- Steve
    | >
    | >
    http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    | >
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    | >
    | > "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | > news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    | >> Hi there,
    | >>
    | >> I'm about to start applying Group Policies to our network (1 server and
    8
    | >> users) as it's currently an open system that's facing a lot of abuse.
    | >>
    | >> However, I'm looking for some ideas on managing this, and in
    particular,
    | >> how
    | >> I should be arranging the OU's, being just a single small office.
    | >>
    | >> I've thought about having an OU that had global policies, then have
    three
    | >> separate OU's that contained Level 1, 2 and 3 polices of differing
    | >> degrees
    | >> of group policies (low, medium, high). But if I do this, I'm finding
    | >> that
    | >> it's difficult to remember what each Level contains, and it's getting
    | >> quite
    | >> messy.
    | >>
    | >> Are there any websites that show some good practice and organisation
    for
    | >> this?
    | >>
    | >> Thanks for any help, it's appreciated.
    | >>
    | >> Regards,
    | >>
    | >> Stephen
    | >>
    | >>
    | >
    | >
    |
    |
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks for that again Steve, and I'll take note of your two approaches.
    I've only added some basic global policies at the moment, but will start to
    add more on a development PC using a test user account. The overall aim is
    to only let people do and use what they need for the job. Hopefully, the
    days of getting paid to chat on Yahoo Messenger all day are over... ;-)

    Thanks,

    Ste


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:ViYIc.46653$WX.6481@attbi_s51...
    | Sounds like you have a grasp of things. When you create a Group Policy
    [GPO] you can
    | "link" it to more than one container/OU. The highest GPO takes precedence
    with
    | defined settings. You could either create two sub OU's within your level 1
    OU and
    | simply create the GPO you want for each sub OU and put users into the
    appropriate OU
    | and Group Policy would flow down through the sub OU's. Or you could have
    three OU's
    | and then have the low restriction policy level linked to each OU with
    additional GPO
    | for second level OU and all three GPO's linked the third level OU with
    high
    | restrictions with the OU specific to that OU at the top of the list. ---
    Steve
    |
    |
    | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | news:2lj0itFcojrcU2@uni-berlin.de...
    | > Thanks for the reply and advice Steven. At the moment, I've disabled
    the
    | > computer parts of the group policies because I'm only specifying user
    | > policies, and I read in a book that this helps to speed up the
    application
    | > of these policies when the user logs on.
    | >
    | > When I set OU's such as Level 1, 2, & 3, they are basically the same as
    | > Employees, Managers, Admins; it's just that I'm naming them differently.
    | > What I'd like to do is to set up a level 1 policy (low restriction),
    then
    | > copy this policy to a brand new policy in level 2 - I could then have a
    | > starting point to go on from, rather than enforce everything I'd done in
    | > level 1 first, then add my next restrictions in level 2.
    | >
    | > At the moment, my active directory of users and computers is like this:
    | >
    | > mycompany (domain, and contains the unedited default domain policy)
    | > > MyCompanyPolicies (OU containing my global policies)
    | > > Level 1 (low restrictions)
    | > > Level 2 (medium restrictions)
    | > > Level 3 (high restrictions)
    | >
    | > I assume that I'm on the right track with this (?), but will keep
    reading
    | > the links and other resources that I find.
    | >
    | > Thanks,
    | >
    | > Ste
    | >
    | >
    | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    | > news:h1AIc.62169$a24.33684@attbi_s03...
    | > | Keep in mind there are two parts to Group Policy - computer and user
    and
    | > that they
    | > | need to reside in the container where the policy is applied. Also for
    | > domain users,
    | > | password/account policy can only be applied at the domain level. OU
    policy
    | > that has
    | > | "defined" settings will override the same settings defined at the
    domain
    | > level. If
    | > | there is a setting defined at the domain level and not at the OU
    level,
    | > the setting
    | > | will still apply to a user/computer in the OU in a default
    installation.
    | > |
    | > | You may want to consider setting global polices that you want to apply
    to
    | > everyone at
    | > | the domain level and then use your three OU's and name them something
    | > appropriate
    | > | that distinguishes each by a role that applies to your office -
    | > | employees/managers/admins etc. or sales/admin/production etc. ---
    Steve
    | > |
    | > |
    | >
    http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    | > |
    | >
    |
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    | > |
    | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    | > | > Hi there,
    | > | >
    | > | > I'm about to start applying Group Policies to our network (1 server
    and
    | > 8
    | > | > users) as it's currently an open system that's facing a lot of
    abuse.
    | > | >
    | > | > However, I'm looking for some ideas on managing this, and in
    particular,
    | > how
    | > | > I should be arranging the OU's, being just a single small office.
    | > | >
    | > | > I've thought about having an OU that had global policies, then have
    | > three
    | > | > separate OU's that contained Level 1, 2 and 3 polices of differing
    | > degrees
    | > | > of group policies (low, medium, high). But if I do this, I'm
    finding
    | > that
    | > | > it's difficult to remember what each Level contains, and it's
    getting
    | > quite
    | > | > messy.
    | > | >
    | > | > Are there any websites that show some good practice and organisation
    for
    | > | > this?
    | > | >
    | > | > Thanks for any help, it's appreciated.
    | > | >
    | > | > Regards,
    | > | >
    | > | > Stephen
    | > | >
    | > | >
    | > |
    | > |
    | >
    | >
    |
    |
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Sounds good. Keep in mind that your firewall configuration can also be a major
    contributor to users not using unauthorized internet applications. Either try to use
    a default block all outbound access rule and then create the exceptions for
    authorized traffic. If your firewall can not do that, consider getting another one as
    they have really dropped in price and $350 can get you a good SOHO unit. Otherwise
    see if your existing one can at least block some outbound traffic - even the $80
    routers from Neatger, Linksys, etc can do a pretty good job of that these days. Good
    luck. --- Steve


    "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    news:2llmf7Feh8ncU1@uni-berlin.de...
    > Thanks for that again Steve, and I'll take note of your two approaches.
    > I've only added some basic global policies at the moment, but will start to
    > add more on a development PC using a test user account. The overall aim is
    > to only let people do and use what they need for the job. Hopefully, the
    > days of getting paid to chat on Yahoo Messenger all day are over... ;-)
    >
    > Thanks,
    >
    > Ste
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:ViYIc.46653$WX.6481@attbi_s51...
    > | Sounds like you have a grasp of things. When you create a Group Policy
    > [GPO] you can
    > | "link" it to more than one container/OU. The highest GPO takes precedence
    > with
    > | defined settings. You could either create two sub OU's within your level 1
    > OU and
    > | simply create the GPO you want for each sub OU and put users into the
    > appropriate OU
    > | and Group Policy would flow down through the sub OU's. Or you could have
    > three OU's
    > | and then have the low restriction policy level linked to each OU with
    > additional GPO
    > | for second level OU and all three GPO's linked the third level OU with
    > high
    > | restrictions with the OU specific to that OU at the top of the list. ---
    > Steve
    > |
    > |
    > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > | news:2lj0itFcojrcU2@uni-berlin.de...
    > | > Thanks for the reply and advice Steven. At the moment, I've disabled
    > the
    > | > computer parts of the group policies because I'm only specifying user
    > | > policies, and I read in a book that this helps to speed up the
    > application
    > | > of these policies when the user logs on.
    > | >
    > | > When I set OU's such as Level 1, 2, & 3, they are basically the same as
    > | > Employees, Managers, Admins; it's just that I'm naming them differently.
    > | > What I'd like to do is to set up a level 1 policy (low restriction),
    > then
    > | > copy this policy to a brand new policy in level 2 - I could then have a
    > | > starting point to go on from, rather than enforce everything I'd done in
    > | > level 1 first, then add my next restrictions in level 2.
    > | >
    > | > At the moment, my active directory of users and computers is like this:
    > | >
    > | > mycompany (domain, and contains the unedited default domain policy)
    > | > > MyCompanyPolicies (OU containing my global policies)
    > | > > Level 1 (low restrictions)
    > | > > Level 2 (medium restrictions)
    > | > > Level 3 (high restrictions)
    > | >
    > | > I assume that I'm on the right track with this (?), but will keep
    > reading
    > | > the links and other resources that I find.
    > | >
    > | > Thanks,
    > | >
    > | > Ste
    > | >
    > | >
    > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > | > news:h1AIc.62169$a24.33684@attbi_s03...
    > | > | Keep in mind there are two parts to Group Policy - computer and user
    > and
    > | > that they
    > | > | need to reside in the container where the policy is applied. Also for
    > | > domain users,
    > | > | password/account policy can only be applied at the domain level. OU
    > policy
    > | > that has
    > | > | "defined" settings will override the same settings defined at the
    > domain
    > | > level. If
    > | > | there is a setting defined at the domain level and not at the OU
    > level,
    > | > the setting
    > | > | will still apply to a user/computer in the OU in a default
    > installation.
    > | > |
    > | > | You may want to consider setting global polices that you want to apply
    > to
    > | > everyone at
    > | > | the domain level and then use your three OU's and name them something
    > | > appropriate
    > | > | that distinguishes each by a role that applies to your office -
    > | > | employees/managers/admins etc. or sales/admin/production etc. ---
    > Steve
    > | > |
    > | > |
    > | >
    > http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    > | > |
    > | >
    > |
    >
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    > | > |
    > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    > | > | > Hi there,
    > | > | >
    > | > | > I'm about to start applying Group Policies to our network (1 server
    > and
    > | > 8
    > | > | > users) as it's currently an open system that's facing a lot of
    > abuse.
    > | > | >
    > | > | > However, I'm looking for some ideas on managing this, and in
    > particular,
    > | > how
    > | > | > I should be arranging the OU's, being just a single small office.
    > | > | >
    > | > | > I've thought about having an OU that had global policies, then have
    > | > three
    > | > | > separate OU's that contained Level 1, 2 and 3 polices of differing
    > | > degrees
    > | > | > of group policies (low, medium, high). But if I do this, I'm
    > finding
    > | > that
    > | > | > it's difficult to remember what each Level contains, and it's
    > getting
    > | > quite
    > | > | > messy.
    > | > | >
    > | > | > Are there any websites that show some good practice and organisation
    > for
    > | > | > this?
    > | > | >
    > | > | > Thanks for any help, it's appreciated.
    > | > | >
    > | > | > Regards,
    > | > | >
    > | > | > Stephen
    > | > | >
    > | > | >
    > | > |
    > | > |
    > | >
    > | >
    > |
    > |
    >
    >
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks Steven. We're using Microsoft ISA Server with Small Business Server
    2000, so there's definitely plenty of rules that we can implement Though
    this might be a bit beyond me so we might have to call out IT consultants.
    The problem is that as we're a small charity, we've got a very limited
    budget, so that's why I try and do most things myself - but anything to
    tricky, and I'll make that phone call. :-)

    I did create some reports in ISA, but they don't seem to show user internet
    activity - I believe the reason for this is because the default gateway for
    each user is the ADSL router's IP address, rather than the server itself.
    Not sure how to change this though, but it's probably a post for the ISA
    group! ;-)

    Thanks again,

    Ste


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:pfiJc.74944$JR4.26287@attbi_s54...
    | Sounds good. Keep in mind that your firewall configuration can also be a
    major
    | contributor to users not using unauthorized internet applications. Either
    try to use
    | a default block all outbound access rule and then create the exceptions
    for
    | authorized traffic. If your firewall can not do that, consider getting
    another one as
    | they have really dropped in price and $350 can get you a good SOHO unit.
    Otherwise
    | see if your existing one can at least block some outbound traffic - even
    the $80
    | routers from Neatger, Linksys, etc can do a pretty good job of that these
    days. Good
    | luck. --- Steve
    |
    |
    | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | news:2llmf7Feh8ncU1@uni-berlin.de...
    | > Thanks for that again Steve, and I'll take note of your two approaches.
    | > I've only added some basic global policies at the moment, but will start
    to
    | > add more on a development PC using a test user account. The overall aim
    is
    | > to only let people do and use what they need for the job. Hopefully,
    the
    | > days of getting paid to chat on Yahoo Messenger all day are over... ;-)
    | >
    | > Thanks,
    | >
    | > Ste
    | >
    | >
    | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    | > news:ViYIc.46653$WX.6481@attbi_s51...
    | > | Sounds like you have a grasp of things. When you create a Group Policy
    | > [GPO] you can
    | > | "link" it to more than one container/OU. The highest GPO takes
    precedence
    | > with
    | > | defined settings. You could either create two sub OU's within your
    level 1
    | > OU and
    | > | simply create the GPO you want for each sub OU and put users into the
    | > appropriate OU
    | > | and Group Policy would flow down through the sub OU's. Or you could
    have
    | > three OU's
    | > | and then have the low restriction policy level linked to each OU with
    | > additional GPO
    | > | for second level OU and all three GPO's linked the third level OU with
    | > high
    | > | restrictions with the OU specific to that OU at the top of the
    st. ---
    | > Steve
    | > |
    | > |
    | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | > | news:2lj0itFcojrcU2@uni-berlin.de...
    | > | > Thanks for the reply and advice Steven. At the moment, I've
    disabled
    | > the
    | > | > computer parts of the group policies because I'm only specifying
    user
    | > | > policies, and I read in a book that this helps to speed up the
    | > application
    | > | > of these policies when the user logs on.
    | > | >
    | > | > When I set OU's such as Level 1, 2, & 3, they are basically the same
    as
    | > | > Employees, Managers, Admins; it's just that I'm naming them
    differently.
    | > | > What I'd like to do is to set up a level 1 policy (low restriction),
    | > then
    | > | > copy this policy to a brand new policy in level 2 - I could then
    have a
    | > | > starting point to go on from, rather than enforce everything I'd
    done in
    | > | > level 1 first, then add my next restrictions in level 2.
    | > | >
    | > | > At the moment, my active directory of users and computers is like
    this:
    | > | >
    | > | > mycompany (domain, and contains the unedited default domain policy)
    | > | > > MyCompanyPolicies (OU containing my global policies)
    | > | > > Level 1 (low restrictions)
    | > | > > Level 2 (medium restrictions)
    | > | > > Level 3 (high restrictions)
    | > | >
    | > | > I assume that I'm on the right track with this (?), but will keep
    | > reading
    | > | > the links and other resources that I find.
    | > | >
    | > | > Thanks,
    | > | >
    | > | > Ste
    | > | >
    | > | >
    | > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
    message
    | > | > news:h1AIc.62169$a24.33684@attbi_s03...
    | > | > | Keep in mind there are two parts to Group Policy - computer and
    user
    | > and
    | > | > that they
    | > | > | need to reside in the container where the policy is applied. Also
    for
    | > | > domain users,
    | > | > | password/account policy can only be applied at the domain level.
    OU
    | > policy
    | > | > that has
    | > | > | "defined" settings will override the same settings defined at the
    | > domain
    | > | > level. If
    | > | > | there is a setting defined at the domain level and not at the OU
    | > level,
    | > | > the setting
    | > | > | will still apply to a user/computer in the OU in a default
    | > installation.
    | > | > |
    | > | > | You may want to consider setting global polices that you want to
    apply
    | > to
    | > | > everyone at
    | > | > | the domain level and then use your three OU's and name them
    something
    | > | > appropriate
    | > | > | that distinguishes each by a role that applies to your office -
    | > | > | employees/managers/admins etc. or sales/admin/production etc. ---
    | > Steve
    | > | > |
    | > | > |
    | > | >
    | >
    http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    | > | > |
    | > | >
    | > |
    | >
    |
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    | > | > |
    | > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    | > | > | > Hi there,
    | > | > | >
    | > | > | > I'm about to start applying Group Policies to our network (1
    server
    | > and
    | > | > 8
    | > | > | > users) as it's currently an open system that's facing a lot of
    | > abuse.
    | > | > | >
    | > | > | > However, I'm looking for some ideas on managing this, and in
    | > particular,
    | > | > how
    | > | > | > I should be arranging the OU's, being just a single small
    office.
    | > | > | >
    | > | > | > I've thought about having an OU that had global policies, then
    have
    | > | > three
    | > | > | > separate OU's that contained Level 1, 2 and 3 polices of
    differing
    | > | > degrees
    | > | > | > of group policies (low, medium, high). But if I do this, I'm
    | > finding
    | > | > that
    | > | > | > it's difficult to remember what each Level contains, and it's
    | > getting
    | > | > quite
    | > | > | > messy.
    | > | > | >
    | > | > | > Are there any websites that show some good practice and
    organisation
    | > for
    | > | > | > this?
    | > | > | >
    | > | > | > Thanks for any help, it's appreciated.
    | > | > | >
    | > | > | > Regards,
    | > | > | >
    | > | > | > Stephen
    | > | > | >
    | > | > | >
    | > | > |
    | > | > |
    | > | >
    | > | >
    | > |
    | > |
    | >
    | >
    |
    |
  9. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    There are some ISA newsgroups that would be very helpful but basically the clients on
    the network need to point to the ISA server internal network address as their default
    gateway and then the clients will be subject to rules on the ISA server. The link
    below is a great resource on ISA. Good luck. --- Steve

    http://isaserver.org/articles_tutorials/configuration_general/

    "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    news:2lv5ghFh68mcU1@uni-berlin.de...
    > Thanks Steven. We're using Microsoft ISA Server with Small Business Server
    > 2000, so there's definitely plenty of rules that we can implement Though
    > this might be a bit beyond me so we might have to call out IT consultants.
    > The problem is that as we're a small charity, we've got a very limited
    > budget, so that's why I try and do most things myself - but anything to
    > tricky, and I'll make that phone call. :-)
    >
    > I did create some reports in ISA, but they don't seem to show user internet
    > activity - I believe the reason for this is because the default gateway for
    > each user is the ADSL router's IP address, rather than the server itself.
    > Not sure how to change this though, but it's probably a post for the ISA
    > group! ;-)
    >
    > Thanks again,
    >
    > Ste
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:pfiJc.74944$JR4.26287@attbi_s54...
    > | Sounds good. Keep in mind that your firewall configuration can also be a
    > major
    > | contributor to users not using unauthorized internet applications. Either
    > try to use
    > | a default block all outbound access rule and then create the exceptions
    > for
    > | authorized traffic. If your firewall can not do that, consider getting
    > another one as
    > | they have really dropped in price and $350 can get you a good SOHO unit.
    > Otherwise
    > | see if your existing one can at least block some outbound traffic - even
    > the $80
    > | routers from Neatger, Linksys, etc can do a pretty good job of that these
    > days. Good
    > | luck. --- Steve
    > |
    > |
    > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > | news:2llmf7Feh8ncU1@uni-berlin.de...
    > | > Thanks for that again Steve, and I'll take note of your two approaches.
    > | > I've only added some basic global policies at the moment, but will start
    > to
    > | > add more on a development PC using a test user account. The overall aim
    > is
    > | > to only let people do and use what they need for the job. Hopefully,
    > the
    > | > days of getting paid to chat on Yahoo Messenger all day are over... ;-)
    > | >
    > | > Thanks,
    > | >
    > | > Ste
    > | >
    > | >
    > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > | > news:ViYIc.46653$WX.6481@attbi_s51...
    > | > | Sounds like you have a grasp of things. When you create a Group Policy
    > | > [GPO] you can
    > | > | "link" it to more than one container/OU. The highest GPO takes
    > precedence
    > | > with
    > | > | defined settings. You could either create two sub OU's within your
    > level 1
    > | > OU and
    > | > | simply create the GPO you want for each sub OU and put users into the
    > | > appropriate OU
    > | > | and Group Policy would flow down through the sub OU's. Or you could
    > have
    > | > three OU's
    > | > | and then have the low restriction policy level linked to each OU with
    > | > additional GPO
    > | > | for second level OU and all three GPO's linked the third level OU with
    > | > high
    > | > | restrictions with the OU specific to that OU at the top of the
    > st. ---
    > | > Steve
    > | > |
    > | > |
    > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > | > | news:2lj0itFcojrcU2@uni-berlin.de...
    > | > | > Thanks for the reply and advice Steven. At the moment, I've
    > disabled
    > | > the
    > | > | > computer parts of the group policies because I'm only specifying
    > user
    > | > | > policies, and I read in a book that this helps to speed up the
    > | > application
    > | > | > of these policies when the user logs on.
    > | > | >
    > | > | > When I set OU's such as Level 1, 2, & 3, they are basically the same
    > as
    > | > | > Employees, Managers, Admins; it's just that I'm naming them
    > differently.
    > | > | > What I'd like to do is to set up a level 1 policy (low restriction),
    > | > then
    > | > | > copy this policy to a brand new policy in level 2 - I could then
    > have a
    > | > | > starting point to go on from, rather than enforce everything I'd
    > done in
    > | > | > level 1 first, then add my next restrictions in level 2.
    > | > | >
    > | > | > At the moment, my active directory of users and computers is like
    > this:
    > | > | >
    > | > | > mycompany (domain, and contains the unedited default domain policy)
    > | > | > > MyCompanyPolicies (OU containing my global policies)
    > | > | > > Level 1 (low restrictions)
    > | > | > > Level 2 (medium restrictions)
    > | > | > > Level 3 (high restrictions)
    > | > | >
    > | > | > I assume that I'm on the right track with this (?), but will keep
    > | > reading
    > | > | > the links and other resources that I find.
    > | > | >
    > | > | > Thanks,
    > | > | >
    > | > | > Ste
    > | > | >
    > | > | >
    > | > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
    > message
    > | > | > news:h1AIc.62169$a24.33684@attbi_s03...
    > | > | > | Keep in mind there are two parts to Group Policy - computer and
    > user
    > | > and
    > | > | > that they
    > | > | > | need to reside in the container where the policy is applied. Also
    > for
    > | > | > domain users,
    > | > | > | password/account policy can only be applied at the domain level.
    > OU
    > | > policy
    > | > | > that has
    > | > | > | "defined" settings will override the same settings defined at the
    > | > domain
    > | > | > level. If
    > | > | > | there is a setting defined at the domain level and not at the OU
    > | > level,
    > | > | > the setting
    > | > | > | will still apply to a user/computer in the OU in a default
    > | > installation.
    > | > | > |
    > | > | > | You may want to consider setting global polices that you want to
    > apply
    > | > to
    > | > | > everyone at
    > | > | > | the domain level and then use your three OU's and name them
    > something
    > | > | > appropriate
    > | > | > | that distinguishes each by a role that applies to your office -
    > | > | > | employees/managers/admins etc. or sales/admin/production etc. ---
    > | > Steve
    > | > | > |
    > | > | > |
    > | > | >
    > | >
    > http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    > | > | > |
    > | > | >
    > | > |
    > | >
    > |
    >
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    > | > | > |
    > | > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    > | > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    > | > | > | > Hi there,
    > | > | > | >
    > | > | > | > I'm about to start applying Group Policies to our network (1
    > server
    > | > and
    > | > | > 8
    > | > | > | > users) as it's currently an open system that's facing a lot of
    > | > abuse.
    > | > | > | >
    > | > | > | > However, I'm looking for some ideas on managing this, and in
    > | > particular,
    > | > | > how
    > | > | > | > I should be arranging the OU's, being just a single small
    > office.
    > | > | > | >
    > | > | > | > I've thought about having an OU that had global policies, then
    > have
    > | > | > three
    > | > | > | > separate OU's that contained Level 1, 2 and 3 polices of
    > differing
    > | > | > degrees
    > | > | > | > of group policies (low, medium, high). But if I do this, I'm
    > | > finding
    > | > | > that
    > | > | > | > it's difficult to remember what each Level contains, and it's
    > | > getting
    > | > | > quite
    > | > | > | > messy.
    > | > | > | >
    > | > | > | > Are there any websites that show some good practice and
    > organisation
    > | > for
    > | > | > | > this?
    > | > | > | >
    > | > | > | > Thanks for any help, it's appreciated.
    > | > | > | >
    > | > | > | > Regards,
    > | > | > | >
    > | > | > | > Stephen
    > | > | > | >
    > | > | > | >
    > | > | > |
    > | > | > |
    > | > | >
    > | > | >
    > | > |
    > | > |
    > | >
    > | >
    > |
    > |
    >
    >
  10. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks again for your help Steven, I'll take a look at those articles. I've
    already subscribed to one of the ISA newsgroups, so reading through the
    history of that group for questions and answers.

    I'm sure I'll be posting back agian some time for more help on the group
    policies - it's still in a test environment at the moment.

    Thanks again, it's appreciated.

    Ste


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:2DxKc.123828$XM6.29900@attbi_s53...
    | There are some ISA newsgroups that would be very helpful but basically the
    clients on
    | the network need to point to the ISA server internal network address as
    their default
    | gateway and then the clients will be subject to rules on the ISA server.
    The link
    | below is a great resource on ISA. Good luck. --- Steve
    |
    | http://isaserver.org/articles_tutorials/configuration_general/
    |
    | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | news:2lv5ghFh68mcU1@uni-berlin.de...
    | > Thanks Steven. We're using Microsoft ISA Server with Small Business
    Server
    | > 2000, so there's definitely plenty of rules that we can implement
    Though
    | > this might be a bit beyond me so we might have to call out IT
    consultants.
    | > The problem is that as we're a small charity, we've got a very limited
    | > budget, so that's why I try and do most things myself - but anything to
    | > tricky, and I'll make that phone call. :-)
    | >
    | > I did create some reports in ISA, but they don't seem to show user
    internet
    | > activity - I believe the reason for this is because the default gateway
    for
    | > each user is the ADSL router's IP address, rather than the server
    itself.
    | > Not sure how to change this though, but it's probably a post for the ISA
    | > group! ;-)
    | >
    | > Thanks again,
    | >
    | > Ste
    | >
    | >
    | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    | > news:pfiJc.74944$JR4.26287@attbi_s54...
    | > | Sounds good. Keep in mind that your firewall configuration can also be
    a
    | > major
    | > | contributor to users not using unauthorized internet applications.
    Either
    | > try to use
    | > | a default block all outbound access rule and then create the
    exceptions
    | > for
    | > | authorized traffic. If your firewall can not do that, consider getting
    | > another one as
    | > | they have really dropped in price and $350 can get you a good SOHO
    unit.
    | > Otherwise
    | > | see if your existing one can at least block some outbound traffic -
    even
    | > the $80
    | > | routers from Neatger, Linksys, etc can do a pretty good job of that
    these
    | > days. Good
    | > | luck. --- Steve
    | > |
    | > |
    | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | > | news:2llmf7Feh8ncU1@uni-berlin.de...
    | > | > Thanks for that again Steve, and I'll take note of your two
    approaches.
    | > | > I've only added some basic global policies at the moment, but will
    start
    | > to
    | > | > add more on a development PC using a test user account. The overall
    aim
    | > is
    | > | > to only let people do and use what they need for the job.
    Hopefully,
    | > the
    | > | > days of getting paid to chat on Yahoo Messenger all day are over...
    ;-)
    | > | >
    | > | > Thanks,
    | > | >
    | > | > Ste
    | > | >
    | > | >
    | > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
    message
    | > | > news:ViYIc.46653$WX.6481@attbi_s51...
    | > | > | Sounds like you have a grasp of things. When you create a Group
    Policy
    | > | > [GPO] you can
    | > | > | "link" it to more than one container/OU. The highest GPO takes
    | > precedence
    | > | > with
    | > | > | defined settings. You could either create two sub OU's within your
    | > level 1
    | > | > OU and
    | > | > | simply create the GPO you want for each sub OU and put users into
    the
    | > | > appropriate OU
    | > | > | and Group Policy would flow down through the sub OU's. Or you
    could
    | > have
    | > | > three OU's
    | > | > | and then have the low restriction policy level linked to each OU
    with
    | > | > additional GPO
    | > | > | for second level OU and all three GPO's linked the third level OU
    with
    | > | > high
    | > | > | restrictions with the OU specific to that OU at the top of the
    | > st. ---
    | > | > Steve
    | > | > |
    | > | > |
    | > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
    | > | > | news:2lj0itFcojrcU2@uni-berlin.de...
    | > | > | > Thanks for the reply and advice Steven. At the moment, I've
    | > disabled
    | > | > the
    | > | > | > computer parts of the group policies because I'm only specifying
    | > user
    | > | > | > policies, and I read in a book that this helps to speed up the
    | > | > application
    | > | > | > of these policies when the user logs on.
    | > | > | >
    | > | > | > When I set OU's such as Level 1, 2, & 3, they are basically the
    same
    | > as
    | > | > | > Employees, Managers, Admins; it's just that I'm naming them
    | > differently.
    | > | > | > What I'd like to do is to set up a level 1 policy (low
    restriction),
    | > | > then
    | > | > | > copy this policy to a brand new policy in level 2 - I could then
    | > have a
    | > | > | > starting point to go on from, rather than enforce everything I'd
    | > done in
    | > | > | > level 1 first, then add my next restrictions in level 2.
    | > | > | >
    | > | > | > At the moment, my active directory of users and computers is
    like
    | > this:
    | > | > | >
    | > | > | > mycompany (domain, and contains the unedited default domain
    policy)
    | > | > | > > MyCompanyPolicies (OU containing my global policies)
    | > | > | > > Level 1 (low restrictions)
    | > | > | > > Level 2 (medium restrictions)
    | > | > | > > Level 3 (high restrictions)
    | > | > | >
    | > | > | > I assume that I'm on the right track with this (?), but will
    keep
    | > | > reading
    | > | > | > the links and other resources that I find.
    | > | > | >
    | > | > | > Thanks,
    | > | > | >
    | > | > | > Ste
    | > | > | >
    | > | > | >
    | > | > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
    | > message
    | > | > | > news:h1AIc.62169$a24.33684@attbi_s03...
    | > | > | > | Keep in mind there are two parts to Group Policy - computer
    and
    | > user
    | > | > and
    | > | > | > that they
    | > | > | > | need to reside in the container where the policy is applied.
    Also
    | > for
    | > | > | > domain users,
    | > | > | > | password/account policy can only be applied at the domain
    level.
    | > OU
    | > | > policy
    | > | > | > that has
    | > | > | > | "defined" settings will override the same settings defined at
    the
    | > | > domain
    | > | > | > level. If
    | > | > | > | there is a setting defined at the domain level and not at the
    OU
    | > | > level,
    | > | > | > the setting
    | > | > | > | will still apply to a user/computer in the OU in a default
    | > | > installation.
    | > | > | > |
    | > | > | > | You may want to consider setting global polices that you want
    to
    | > apply
    | > | > to
    | > | > | > everyone at
    | > | > | > | the domain level and then use your three OU's and name them
    | > something
    | > | > | > appropriate
    | > | > | > | that distinguishes each by a role that applies to your
    office -
    | > | > | > | employees/managers/admins etc. or sales/admin/production
    etc. ---
    | > | > Steve
    | > | > | > |
    | > | > | > |
    | > | > | >
    | > | >
    | >
    http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
    | > | > | > |
    | > | > | >
    | > | > |
    | > | >
    | > |
    | >
    |
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
    | > | > | > |
    | > | > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in
    message
    | > | > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
    | > | > | > | > Hi there,
    | > | > | > | >
    | > | > | > | > I'm about to start applying Group Policies to our network (1
    | > server
    | > | > and
    | > | > | > 8
    | > | > | > | > users) as it's currently an open system that's facing a lot
    of
    | > | > abuse.
    | > | > | > | >
    | > | > | > | > However, I'm looking for some ideas on managing this, and in
    | > | > particular,
    | > | > | > how
    | > | > | > | > I should be arranging the OU's, being just a single small
    | > office.
    | > | > | > | >
    | > | > | > | > I've thought about having an OU that had global policies,
    then
    | > have
    | > | > | > three
    | > | > | > | > separate OU's that contained Level 1, 2 and 3 polices of
    | > differing
    | > | > | > degrees
    | > | > | > | > of group policies (low, medium, high). But if I do this,
    I'm
    | > | > finding
    | > | > | > that
    | > | > | > | > it's difficult to remember what each Level contains, and
    it's
    | > | > getting
    | > | > | > quite
    | > | > | > | > messy.
    | > | > | > | >
    | > | > | > | > Are there any websites that show some good practice and
    | > organisation
    | > | > for
    | > | > | > | > this?
    | > | > | > | >
    | > | > | > | > Thanks for any help, it's appreciated.
    | > | > | > | >
    | > | > | > | > Regards,
    | > | > | > | >
    | > | > | > | > Stephen
    | > | > | > | >
    | > | > | > | >
    | > | > | > |
    | > | > | > |
    | > | > | >
    | > | > | >
    | > | > |
    | > | > |
    | > | >
    | > | >
    | > |
    | > |
    | >
    | >
    |
    |
Ask a new question

Read More

Policy Management Microsoft Windows Product