Group policy best way

hargi · 17 Dec 2013 at 11:11

Ok looking for some advice.

When I got trained I got told that in Group policy management to create a gp link it to the domain then use the security filtering to assign it to users / groups / computers.
So in my group policy management console i have Domain
xxxxxxx.local
then a list of my GP then in there I have folders OU for the domain controller / users but there is no OU for computers or the computer groups that I set up in active directory as security groups.
I am looking to roll out a GP to one group of computers in one room so i would normally go in and create GP at domain level then just assign it to the room using the security filtering.
Am i ok doing that way or is there a better way?
cheers

Raumarik · 17 Dec 2013 at 12:39

Can't you just make an OU with the computers you want the policy to affect in it then assign the policy to the OU?

That how I did it (2003 domain though).

Deleted member 77746 · 17 Dec 2013 at 13:08

As stated, make an OU first for...

1) OU = Users= User Policy
2) OU = Computers = Computer Policy

anything I don't mind · 17 Dec 2013 at 13:11

There are a few different ways that GPO can be configured.

My preference from experience is to stay away from security filtering completely unless there is a requirement to do loopback and then you have to add the computers (servers) in to the security filtering section

I always use the OU for assigning group policy and the only policy that should be domain level is default domain policy, which should only include password policy and a few other policies that need to be applied across the domain.

like halfmad said, create an ou for the computers and users that need the policy and then link the policy to the ou of the computers and the users ou that require the policy. You may need to block inheritance on the OU and relink the default domain policy through if the gpo has been configured previously with domain level policies that do not need to be applied across all ou.

For example one site that i work at previous admins applied the workstation policies in to the default domain policy and as such it was being applied to servers as well. This was a mess and had to clean it up by creating a new default domain policy and workstation policy and then blocking inheritance on the user and computer ou and linking the relevant policies through.

Caged · 17 Dec 2013 at 17:18

Leave the default domain policy alone (reset it if necessary). If you need to change things such as password policy then make a GPO with just that in and Enforce it.

WMI filters have a comparatively huge impact on login times -always use OUs where you can. If you need certain user policies to only apply to certain groups then set the permissions on the GPO accordingly.