Group Policy fundamentals

[Guest]

We have the following setup
5 account domains. 4 are in W2K mixed-mode . One i W2K native.
1 domain . native 2000. empty. servers role of schema master
New computer accounts are created in the Ous in one of these domains (based
on geographcal location)
Account and password policy defined via default domain policy in all domains.
Several hundred resource domains. NT4 based.
Many of these have one-way trust with the account domains.
Many don't have. I'll call these untrusted RDs.
Majorty of clients in the resource domains are W2K Pro or XP.

Now my Qs:
#1 If the account policy is defined in the default domain group policy,
does it reach the clients in trusted and/or untrusted RDs?

#2 How are the account policies affective? these are implemented when the
machine starts up? OR when a user logs in?

#3 If I want to add a global administrative group to the local
dministrator's group in each workstation, how can I accomplish this?
I have already seen the scenarios where I can define it via startup script
in the machine config part of a group policy OR via loon script in the user
config part of group policy.
But my Q to this is login script is not effective because it runs in user
context.
startup script will not be effective for workstations in the resource domain.

Can someone please clear my doubts regarding group policy fundamentals?

Thanks

 

[Simon Geary]

Now my Qs:

#1 If the account policy is defined in the default domain group policy,
does it reach the clients in trusted and/or untrusted RDs?

No. Account policies are defined at the domain level and will not dribble
down to other domains.

#2 How are the account policies affective? these are implemented when the
machine starts up? OR when a user logs in?

Account Policies are defined in the Computer configuration of a GPO so they
will apply when the computer starts up.

#3 If I want to add a global administrative group to the local
dministrator's group in each workstation, how can I accomplish this?
I have already seen the scenarios where I can define it via startup script
in the machine config part of a group policy OR via loon script in the
user
config part of group policy.
But my Q to this is login script is not effective because it runs in user
context.
startup script will not be effective for workstations in the resource
domain.

The domain admins group should already be an automatic member of your local
administrator group so if your Enterprise Admins group is a member of all
domain admins groups you already have a solution of sorts. Alternatively,
you can use the Restricted Groups GPO setting to control membership of this
group. http://support.microsoft.com/?id=228496