how to create sub-GPOs

[Rino.Mardo]

hello, from the domain OU i created two GPOs at the same level. i just
found out that this is wrong. now i'm trying to figure out if it's
possible to create from the domain OU a GPO A and then create a
sub-GPO, let's call it GPO B, under GPO A?

the idea is there would be some settings in GPO A (like a proxy
setting) and then GPO B would then have finer settings (like a
different proxy setting than GPO A) that GPO A doesn't have.

 

[Florian Frommherz]

Howdy!

hello, from the domain OU i created two GPOs at the same level. i just
found out that this is wrong. now i'm trying to figure out if it's
possible to create from the domain OU a GPO A and then create a
sub-GPO, let's call it GPO B, under GPO A?

the idea is there would be some settings in GPO A (like a proxy
setting) and then GPO B would then have finer settings (like a
different proxy setting than GPO A) that GPO A doesn't have.

Well, applying your policies to the domain level is not always a good
idea. In your case, I'd recommend that you link your group policies to
OUs instead of the domain and work with Sub-OUs. Organize your users in
OUs and sub-OUs; for example
in OU "corp users" with sub-OUs like "Sales", "Marketing" and whatever.
The "Sales"-Sub-OU users will inherit the settings defined in "corp
users"-OU and have additional settings you give them. This would enable
you to give users "finer" settings - even depending on which department
or group of people they belong to...

cheers,

Florian

 

[maverick]

Howdy!
....

Well, applying your policies to the domain level is not always a good
idea. In your case, I'd recommend that you link your group policies to
OUs instead of the domain and work with Sub-OUs. Organize your users in
OUs and sub-OUs; for example
in OU "corp users" with sub-OUs like "Sales", "Marketing" and whatever.
The "Sales"-Sub-OU users will inherit the settings defined in "corp
users"-OU and have additional settings you give them. This would enable
you to give users "finer" settings - even depending on which department
or group of people they belong to...

hello, i created the following example:

acme ou
|--acme policy
|--deptA ou
|--deptA policy


i hope the spacing appears right. anyway, from what i understand about
group policies inheritance is enabled by default so i didn't bother
checking. i created some browser settings in "acme policy" and refined
it to include proxy settings in "deptA policy". i did a "gpupdate
/force" followed by "gpresult" from the same workstation. no change.

i know gpupdates work every 90 or so minutes but what about additions
or changes done in the domain's group policy? how soon do they take
effect?

thanks for the info on using sub-OUs it is much clearer and easily
understood now.

 

[maverick]

Howdy!
....

Well, applying your policies to the domain level is not always a good
idea. In your case, I'd recommend that you link your group policies to
OUs instead of the domain and work with Sub-OUs. Organize your users in
OUs and sub-OUs; for example
in OU "corp users" with sub-OUs like "Sales", "Marketing" and whatever.
The "Sales"-Sub-OU users will inherit the settings defined in "corp
users"-OU and have additional settings you give them. This would enable
you to give users "finer" settings - even depending on which department
or group of people they belong to...

one thing i noticed, any GPOs linked to an OU are not applied. only
those GPOs that are linked directly at the domain level are appied.

i've been forcing gpupdate for hours now and checking with gpresult.
nothing. only gpo at domain level is applied.

 

[Florian Frommherz]

Howdy!

checking. i created some browser settings in "acme policy" and refined
it to include proxy settings in "deptA policy". i did a "gpupdate
/force" followed by "gpresult" from the same workstation. no change.

If you create another OU with the user's computer in it and apply the
following GP to it, will the proxy settings apply then?

"Always wait for the network at computer startup and logon" at
"CompConf\Adm Temp\System\Logon".

one thing i noticed, any GPOs linked to an OU are not applied. only
those GPOs that are linked directly at the domain level are appied.
i've been forcing gpupdate for hours now and checking with gpresult.
nothing. only gpo at domain level is applied.

Do the users and computer you want to assign the policies to reside in
your OU (or any sub-OU?). After having forced the refresh, the policies
should take effect (except some exotic ones, like Software Restriction
etc.). Maybe a logoff and logon of the users help.

cheers,

Florian

 

[Florian Frommherz]

Howdy!

If you create another OU with the user's computer in it and apply the
following GP to it, will the proxy settings apply then?

"Always wait for the network at computer startup and logon" at
"CompConf\Adm Temp\System\Logon".

If your clients run on Windows XP, this is also a good policy to have
enabled - but I posted the above policy by mistake. What I originally
wanted you to try is the following policy:

Comp Conf\Adm Templ\System\Group Policy - "Internet Explorer
Maintenance policy processing" and there: "Process settings even if they
have not been changed".

cheers,

Florian

 

[maverick]

Howdy!
.....

Do the users and computer you want to assign the policies to reside in
your OU (or any sub-OU?). After having forced the refresh, the policies
should take effect (except some exotic ones, like Software Restriction
etc.). Maybe a logoff and logon of the users help.

doh! i have overlooked this part. i kept looking at the scope of the
gpo instead.

it is working now my OUs and sub-OUs.

many thanks for the inputs!