|
Home > Archive > 70-217 > November 2002 > apply/link?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| me? I dunno... 2002-11-10, 3:44 am |
| group policies can only be linked to sites domains or OU's, yet they can be applied to users and groups? I don't understand. | |
| Slinky 2002-11-10, 10:27 am |
| Gotta love GPOs for their trickiness. Thats probably why M$ loves to test you on them.  By definition a group policy is a collection of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops. With that said, you cannot apply group policies to a security group, BUT you can apply polices to a group of users, if that makes any sense. For example, say you have 100 users in the Finance Department that need access to a certain application and you want to deploy the software to them via GPOs. The best way of doing it would be to group them all together under one OU and link a GPO there, that way only those 100 people are affected. While GPOs don't apply to security groups, you can use groups to filter policies to certain users. By putting those users in groups, you can deny "read" and that policy will not apply to them.
Hope that helps. | |
| me? I dunno... 2002-11-10, 2:10 pm |
| They can be linked/applied to users and/or groups, but only by putting those users and/or groups in an OU first,then apply gp's to the OU, or link/apply gp to the site or domain those users or groups are in and then they have gp applied/linked to them by membership in the site/domain? | |
| dwatts 2002-11-10, 3:41 pm |
| Hey Slinky dont want to be an a**hole (again!) but you even confused me there
You are absolutely correct but you said it in a rather strange way. So JUST FOR CLARITY let me comment on this bit:
--By definition a group policy is a collection of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops.
No they cannot be applied to computers. They AFFECT computers but they cannot be APPLIED to computers par se at least not within the defined terminology of GPOs. I know you understand this (you say it again, accurately, before the end of your post) but I just wanted to clarify for those who might be confused. | |
|
|
| dwatts 2002-11-10, 6:45 pm |
| Damn authors - bunch of know-alls with bad attitudes. --LOL--
My statement meant - the GPO can affect a computer/user - but it cannot be targeted at a computer/user, other than by the consequence of being a member of a Site Domain or OU. In which case, it is the site, domain or OU that is really having it applied, and by inference, all mebers of that Site, Domain or OU are affected. | |
| Slinky 2002-11-10, 6:52 pm |
| Gothca. | |
| me? I dunno... 2002-11-10, 7:35 pm |
| I think I get it now, A policy cannot be assigned to a computer or user on the merit of their own identity, only on the merit of their identity as part of an assignable group (site, domain, OU)? | |
| Slinky 2002-11-10, 8:15 pm |
| You got it. | |
|
| quote:
Originally posted by me? I dunno...
I think I get it now, A policy cannot be assigned to a computer or user on the merit of their own identity, only on the merit of their identity as part of an assignable group (site, domain, OU)?
exactly. GPOs is a good feature. You can apply GPOs to sites, domains or OUs. when you apply a GPO to a OUs for example, all users on the GPOs (and computers inclide in the GPO) are affected by this GPO.
If you have 3 OUs, i.e: OU1, OU2, OU3 and the OU1 have 3 others OUs inside i.e: OU11, OU12, OU13 and you apply a GPO to OU1, all the OU1, OU11, OU12, OU13 are affected by the GPO. | |
| dwatts 2002-11-11, 3:15 am |
| As others have stated, you have indeed "got it". So hop off to the doctor and get treated, fast!  | |
| Riverwind6 2002-11-13, 4:35 pm |
| (Correct me if I'm wrong here)
Lets say you have 3 OUs called OUAccountants, OUSales and OUManagers and you realize that one user in OUAccountants, two users in OUSales and 4 users in OUManagers need a special setting in a GPO, you can create a new GPO that you can link to the domain and remove all permissions for it and add read and apply group policy to only those 7 users and then those 7 guys will have that GPO applied to them even if they re in different OUs.
Is that right? | |
| Slinky 2002-11-13, 5:31 pm |
| Yes. That way those 7 users can be moved about anywhere in the domain and the policy will still appy to them, however doing that is bad practice. If you are applying GPOs to certain users its best to apply it to a container closest to them. For example, you don't want to create a GPO for 1 user and link it to domain level and then filter it. Ideally you would move that user into an OU and link a policy to that. Talk about a management headache the other way. |
|
|
|
|
