Trying to decide what the best way to apply certain features such as event
log settings and other computer related GPO settings. Currently I have all
computers in their OUs designed by location. Should I also create a group and
add all computers to the group, then add group to a certain policy affecting
the event logs. Or should I adjust all the OUs?

Deb,

Deb H wrote:
> Trying to decide what the best way to apply certain features such as event
> log settings and other computer related GPO settings. Currently I have all
> computers in their OUs designed by location. Should I also create a group and
> add all computers to the group, then add group to a certain policy affecting
> the event logs. Or should I adjust all the OUs?

avoid security filtering (that is tweaking permissions on the Group
Policy) as far as you can. That slows down Group Policy application. If
possible, re-organize the OU structure so that you can create and add
your GPOs more easily or link the policy in question to multiple
locations in the hierachy.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

We have our OU structure setup as follows (simplified):

MAIN OU (Contains our client PC's and users)
--- SERVERS OU (Servers only under the Main OU)

The main OU has server Pollicies applied to it (Default domain policy,
Firewall, WSUS for clients, etc).
The Server OU has only two set for it (Remote Desktop setting and WSUS).

Yet, I can see from GPMC that the parent OU's Group Policies are being
inherited to the Server OU. Can I simply select 'block inheritance' to
prevent these unwanted ones from being applied (ie: Client Firewall, WSUS
for Clients)?


"Florian Frommherz [MVP]" <(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> Deb,
>
> Deb H wrote:
>> Trying to decide what the best way to apply certain features such as
>> event log settings and other computer related GPO settings. Currently I
>> have all computers in their OUs designed by location. Should I also
>> create a group and add all computers to the group, then add group to a
>> certain policy affecting the event logs. Or should I adjust all the OUs?
>
> avoid security filtering (that is tweaking permissions on the Group
> Policy) as far as you can. That slows down Group Policy application. If
> possible, re-organize the OU structure so that you can create and add your
> GPOs more easily or link the policy in question to multiple locations in
> the hierachy.
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Barkley Bees schrieb:
> We have our OU structure setup as follows (simplified):
>
> MAIN OU (Contains our client PC's and users)
> --- SERVERS OU (Servers only under the Main OU)

IMHO, the easiest way to handle it:
MAIN OU
- Link all GPOs that are for both kind of computers
--- SERVERS OU
- link only GPOs with server settings
--- WORKSTATIONS OU
- link only GPOs with special client settings

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Discuss : www.freelists.org/list/gpupdate