Moving

[Ken B]

Here's one for y'all.

When creating a GPO, I create it in a test OU, make sure it works as I
expected. i.e., I made a new OU for Office 2003 deployment. I made my GPO
there, tested it out, and then moved computer accounts in as I wanted Office
deployed. I linked that OU to GPO's in another OU (Windows Update, this and
that). (And I'm not using nested OU's either).

Now if I want to get rid of the old OU as Office is finished being deployed,
I can't take out the old OU--the existing policies will be deleted, as they
won't have anyplace to reside.

Can I move or copy the GPO's to a different OU so I can get rid of 'dead'
OU's without losing what we've configured? I don't want to have to go back
and re-create the policies (especially the Office software policy--I don't
want to have to have that one re-apply to the workstations and possibly
screw up the installation on 200 computers).

On a side note, what practice does everyone follow? I'm getting the feeling
that I should keep an OU just for policies, and link out of that so the
policies are 'kept' in a central location, then just create OU's for testing
and link to the "GPO Home" ou. Or am I just missing something that's really
easy, and I'm making it a ton harder?

TIA

Ken

 

[Cary Shultz [A.D. MVP]]

Ken,

Did not read all of your post so might have missed something. Sorry.

When you create a GPO you are not creating it at the level where you are at
that moment ( for example, at an OU ). You are creating a couple of things
once you give that GPO a 'friendly name': You have created the GPT ( in the
SYSVOL folder ), you have created the GPC ( a container in the Active
Directory Database ) and a link for that GPO to the level ( to use my
previous example, to that OU - level ).

So, you can create an OU, move user account objects and/or computer account
objects into that OU and then create a GPO that is linked to that OU. Let's
say that you want to deploy Office 2003 to the user configuration side. So,
you use Advanced Assign ( because you want to use a .mst file ) when
creating the GPO. Then, you have your users log off and then log on and
Office 2003 is deployed as per your GPO. If, for whatever reason, you
wanted to remove the application ( Office 2003 ) then you would simply go to
the GPO and click on Delete... You would then have a choice to make: remove
the link to that OU but leave the GPO itself still intact or to delete both
the link and the GPO itself. Let's look at what both mean:

If you simply remove the link to that OU then the next time that the users
that directly reside in that OU log off and then back on Office 2003 will be
removed ( assuming, of course, that you have checked the 'Remove this
application once it falls out of the scope of this GPO' check box - or
whatever the actual text reads ). However, you still have this GPO
available to you. You could go to another OU ( remember that there are four
levels to which a GPO can be linked - local, Site, Domain and OU ) and
instead of clicking New... you would simply click on Add... and then
probably click on the All tab and select the 'Office 2003' GPO. Now it is
linked to that new OU and any user account objects that directly reside in
that OU ( they have to directly reside in that OU.....if there is a security
group inside that OU that contains user account objects as members then
these user account objects are not affected by the GPO due to this
membership of that group - they have to reside directly in that OU ) will
receive the package the next time they log off and then back on.

However, if you simply remove both the link and the GPO itself then things
do not work so well. The next time that the users log off and then back on
Office 2003 will not be uninstalled! It will stay there. Why? Because you
did not give them a chance to log off and then back on so that they will
see that the link was removed to that OU and the GPO will do it's thing (
namely, remove the application that was originally deployed via this GPO ).
It can not as the GPO itself no longer exists.

HTH,

Cary

 

[Ken B]

Right... I get the idea of how the GPO is 'applied'.... but if I delete the
OU that I created the GPO in, then the GPO is deleted as well.(at least it
appears that way)

Right now, I have a few 'extra' OU's that I had previously tested GP's with,
and subsequently linked to those GP's (using Add, then find the GP by going
up the heirarchy, then to the 'creation OU' and picking out the GP). Now
that my testing is done, I want to take out those OU's, but they are home to
GP's currently being used (an OU with a GP for Office installation in one,
an OU for Windows Update in another, an OU for a registry key entry in
another, an OU for Adobe Acrobat in yet another, etc.)... I want to combine
all these into one OU, and move the existing policies to a new empty OU (to
be aptly named "GPO OU") then link to it.... some computers will need to
have Windows Update, but will not be able to 'handle' Office 2003 due to
their function, or will not need Adobe Acrobat reader (like data collection
terminals). I'd want to have an OU for those, and call it "Data
Collection", but link to the registry key GP and Windows Updates. But I
want to clean up the domain, and not have a ton of OU's hangin out as home
to one GPO that's linked to the OU holding "Engineering" or "Sales"

....or am I just being very confusing?

TIA

Ken

 

[Cary Shultz [A.D. MVP]]

Ken,

in-line....

Right... I get the idea of how the GPO is 'applied'.... but if I delete the
OU that I created the GPO in, then the GPO is deleted as well.(at least it
appears that way)

Absolutely not true!

Right now, I have a few 'extra' OU's that I had previously tested GP's with,
and subsequently linked to those GP's (using Add, then find the GP by going
up the heirarchy, then to the 'creation OU' and picking out the GP). Now
that my testing is done, I want to take out those OU's, but they are home to
GP's currently being used

Again, absolutely not true. These GPOs are not housed in the OU. I
explained that, or so I thought! There are two completely separate places
where the GPOs actually live - in the GPT and in the GPC. The third part of
the equation is the link ( gPOLink, IIRC ). Deleting an OU to which a GPO
is linked has no deterimental effect on the GPO......

(an OU with a GP for Office installation in one,

an OU for Windows Update in another, an OU for a registry key entry in
another, an OU for Adobe Acrobat in yet another, etc.) I want to combine
all these into one OU, and move the existing policies to a new empty OU (to
be aptly named "GPO OU") then link to it.... some computers will need to
have Windows Update, but will not be able to 'handle' Office 2003 due to
their function, or will not need Adobe Acrobat reader (like data collection
terminals). I'd want to have an OU for those, and call it "Data
Collection", but link to the registry key GP and Windows Updates. But I
want to clean up the domain, and not have a ton of OU's hangin out as home
to one GPO that's linked to the OU holding "Engineering" or "Sales"

...or am I just being very confusing?

Not sure that you are being confusing. I am just not sure why you are
drawing the conclussion that you are. Have you installed the Support Tools
and looked at GPOTool and GPRESULT and then also looked at repadmin and
replmon? If you have WIN2003 Active Directory or if you have an available
WINXP SP1 machine you might want to check out the GPMC.

Not to worry, we will get to the bottom of this!

Cary

 

[Read this please]

GPOs are NOT stored in the Organizational Units OU

You can create an OU named Office2003Computers and then
configure a GPO to install Office 2003 for all computers
in that OU. Let us say that your GPO is named Office2k3.

You start moving computers to populate the OU. You will
find that computers that were moved in this OU have
installed the assigned application.

When you move your computers elsewhere out of your OU,
no further installation of Office 2003 occurs. If you
delete the OU, i.e delete the Office2003Computers make
sure that the GPO won't get deleted!

BEFORE DELETING THE OU, JUST UNLINK THE GPO, THEN DELETE
THE OU. THIS WOULD MAKE IT EASIER FOR WINDOWS AS IT MIGHT
GIVE YOU SOME ERROR MESSAGES IN YOUR LOG FILES, JUST AS
WHEN YOU GET AN ERROR MESSAGE FOR A SHARED FOLDER THAT HAVE
BEEN DELETED WITHOUT UNSHARING IT! WINDOWS KEEPS UP THE
SHARE EVEN WHEN YOU DELETE THE FOLDER!!!

You might be asking yourself. Where is my GPO then?
It is still there somewhere defined on your domain
controller but not lonked to any OU. If you want to see it,
right click on any OU, then properties, select GPO, click
ADD, and select the last tab and select to view ALL GPOs
in your domain. I'm sure you'll find your GPO there!

 

[Cary Shultz [A.D. MVP]]

I thought that I gave pretty much the same response.

I would take issue with only two of your statements:

Before deleting the group, unlink it and then delete it. Well, this is not
completely accurate. There is a missing step in the middle. If set up at
the user configuration side then the user would have to log on and then log
off - as I stated in my reply - so that the software would be uninstalled.
If set up at the computer configuration side then the computer would have to
be rebooted....

The GPOs are not "still there somewhere defined on your domain controller
but not look to any OU"....The GPOs are actually comprised of two parts: the
SYSVOL ( GPT ) and the Active Directory ( GPC ). That is why they are
available by clicking on the Add... button...

Cary

 

[Ken B]

AHA!!! I totally looked past the "All" tab... that just shed a spot light
on my confusion!

It really appeared as though GP's were gone if I deleted the OU of creation.

I thought I tried it, and it didn't appear in the GP's of an OU I had it
linked to.... will have to experiment just so I can say "I did this"

Thanks, Cary, "Read this please"---much appreciated!

Ken

 

[Ken B]

Not sure that you are being confusing. I am just not sure why you are
drawing the conclussion that you are. Have you installed the Support Tools
and looked at GPOTool and GPRESULT and then also looked at repadmin and
replmon? If you have WIN2003 Active Directory or if you have an available
WINXP SP1 machine you might want to check out the GPMC.

Not to worry, we will get to the bottom of this!

Cary

Unfortunately, I don't have a real test environment to work with... My
testing's limited to a few workstations on a production 2000 domain. It's
taken a lot of work to convince my boss to let me deploy Office 2k3 via GPO,
instead of walking around to 200 computers. I think they just got the last
NT4 domain nixed last year, so getting into the fundamentals of GP's is a
slow battle 'round here!

Many thanks again--

Ken