Group Policies

[Allen]

I have a group policy that applies to all users on the domain. I want to
create another group policy with less restrictions for a specific set of
users. How do I go about doing this?
--
ats@jbex

No mercy for what we are doing
No thought to even what we have done
We don't need to feel the sorrow
No remorse for the helpless one

Metallica - No Remorse

 

[Meinolf Weber [MVP-DS]]

Hello Allen,

You have to use an additional OU in AD UC and move the users there, now you
can create and link a new GPO here. Also do not apply GPOs on domain level,
always built your own OU structure, so you can separate all needs.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have a group policy that applies to all users on the domain. I want
> to create another group policy with less restrictions for a specific
> set of users. How do I go about doing this?
>
> No mercy for what we are doing
> No thought to even what we have done
> We don't need to feel the sorrow
> No remorse for the helpless one
> Metallica - No Remorse
>

 

[Allen]

On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS] wrote:

> Hello Allen,
>
> You have to use an additional OU in AD UC and move the users there, now you
> can create and link a new GPO here. Also do not apply GPOs on domain level,
> always built your own OU structure, so you can separate all needs.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> I have a group policy that applies to all users on the domain. I want
>> to create another group policy with less restrictions for a specific
>> set of users. How do I go about doing this?
>>
>> No mercy for what we are doing
>> No thought to even what we have done
>> We don't need to feel the sorrow
>> No remorse for the helpless one
>> Metallica - No Remorse
>>

Thanks for this. So if I create a new OU in ADC, move specific users to
here, do I just create a brand new policy for them? Or can I use teh
current policy and create a 2nd one as well? Is there a heirarchy of
policies within an OU?

--
ats@jbex

It's easy to lay down and hide
Where's the warrior without his pride?

Adam and The Ants - Dog Eat Dog

 

[Ace Fekay [MCT]]

"Allen" wrote in message
news:6v6tu43je955.7h319l23kk6h.dlg@40tude.net...
> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS] wrote:
>
>> Hello Allen,
>>
>> You have to use an additional OU in AD UC and move the users there, now
>> you
>> can create and link a new GPO here. Also do not apply GPOs on domain
>> level,
>> always built your own OU structure, so you can separate all needs.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>>> I have a group policy that applies to all users on the domain. I want
>>> to create another group policy with less restrictions for a specific
>>> set of users. How do I go about doing this?
>>>
>
>
> Thanks for this. So if I create a new OU in ADC, move specific users to
> here, do I just create a brand new policy for them? Or can I use teh
> current policy and create a 2nd one as well? Is there a heirarchy of
> policies within an OU?
>

Did you create a separate GPO at the domain level, or did you alter the
Default Domain Policy GPO? Assuming you did not alter the Default Domain
Policy (which is recommended not to touch it), as Meinolf stated, you simply
create an OU, move your users into and unlink the additional policy you
created at the domain level, but now link it to the new OU you created. If
you have different settings for different users, create additional OUs with
their own new GPOs with the different settings.

If you had altered the default Domain Policy, I would suggest to remove the
changes made in that policy (since it should be left alone), and create the
GPOs you need for the OUs you would create for the users that need different
settings.

There is no 'hierarchy' of GPOs, rather just a list of GPOs. The hierarchy
is the OU structure, which you design and create for both organizing your
objects (computers, users, groups and other objects), as well as for GPO
applying and flow.

Take a look at the following, which may help:

Intro to GPOs
http://www.fekay.com/supportblogs/IntroToGPOs.HTML

GPO Inheritance
http://www.fekay.com/supportblogs/gpoflow.jpg

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

 

[Allen]

On Wed, 21 Oct 2009 11:07:27 -0400, Ace Fekay [MCT] wrote:

> "Allen" wrote in message
> news:6v6tu43je955.7h319l23kk6h.dlg@40tude.net...
>> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS] wrote:
>>
>>> Hello Allen,
>>>
>>> You have to use an additional OU in AD UC and move the users there, now
>>> you
>>> can create and link a new GPO here. Also do not apply GPOs on domain
>>> level,
>>> always built your own OU structure, so you can separate all needs.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers
>>> no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>
>>>
>>>> I have a group policy that applies to all users on the domain. I want
>>>> to create another group policy with less restrictions for a specific
>>>> set of users. How do I go about doing this?
>>>>
>>
>>
>> Thanks for this. So if I create a new OU in ADC, move specific users to
>> here, do I just create a brand new policy for them? Or can I use teh
>> current policy and create a 2nd one as well? Is there a heirarchy of
>> policies within an OU?
>>
>
> Did you create a separate GPO at the domain level, or did you alter the
> Default Domain Policy GPO? Assuming you did not alter the Default Domain
> Policy (which is recommended not to touch it), as Meinolf stated, you simply
> create an OU, move your users into and unlink the additional policy you
> created at the domain level, but now link it to the new OU you created. If
> you have different settings for different users, create additional OUs with
> their own new GPOs with the different settings.
>
> If you had altered the default Domain Policy, I would suggest to remove the
> changes made in that policy (since it should be left alone), and create the
> GPOs you need for the OUs you would create for the users that need different
> settings.
>
> There is no 'hierarchy' of GPOs, rather just a list of GPOs. The hierarchy
> is the OU structure, which you design and create for both organizing your
> objects (computers, users, groups and other objects), as well as for GPO
> applying and flow.
>
> Take a look at the following, which may help:
>
> Intro to GPOs
> http://www.fekay.com/supportblogs/IntroToGPOs.HTML
>
> GPO Inheritance
> http://www.fekay.com/supportblogs/gpoflow.jpg

Thanks again. I did change the default GPO but will reset this back to
default and follow your post.

Thanks all
--
ats@jbex

Those who died are justified, for wearing the badge, they're the chosen
whites
You justify those that died by wearing the badge, they're the chosen whites

Rage Against The Machine - Killing In The Name

 

[Meinolf Weber [MVP-DS]]

Hello Allen,

You can also link existing GPOs to the new OU. Additional you can create
multiple policies without any problem.

There is a link order how they are applied:
"Changing the link order
Within each domain, site, and organizational unit, the link order controls
when links are applied. To change the precedence of a link, you can change
the link order, moving each link up or down in the list to the appropriate
location. The link with the higher order (with 1 being the highest order)
has the higher precedence for a given site, domain, or organizational unit.
For example, if you add six GPO links and later decide that you want the
last one that you added to have highest precedence, you can move the GPO
link to the top of the list. "

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS]
> wrote:
>
>> Hello Allen,
>>
>> You have to use an additional OU in AD UC and move the users there,
>> now you can create and link a new GPO here. Also do not apply GPOs on
>> domain level, always built your own OU structure, so you can separate
>> all needs.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I have a group policy that applies to all users on the domain. I
>>> want to create another group policy with less restrictions for a
>>> specific set of users. How do I go about doing this?
>>>
>>> No mercy for what we are doing
>>> No thought to even what we have done
>>> We don't need to feel the sorrow
>>> No remorse for the helpless one
>>> Metallica - No Remorse
> Thanks for this. So if I create a new OU in ADC, move specific users
> to here, do I just create a brand new policy for them? Or can I use
> teh current policy and create a 2nd one as well? Is there a heirarchy
> of policies within an OU?
>
> It's easy to lay down and hide
> Where's the warrior without his pride?
> Adam and The Ants - Dog Eat Dog
>

 

[Ace Fekay [MCT]]

"Allen" wrote in message
news:1fve0b9yjwtiu.lltnw3mie40y.dlg@40tude.net...
> On Wed, 21 Oct 2009 11:07:27 -0400, Ace Fekay [MCT] wrote:
>
>> "Allen" wrote in message
>> news:6v6tu43je955.7h319l23kk6h.dlg@40tude.net...
>>> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS] wrote:
>>>
>>>> Hello Allen,
>>>>
>>>> You have to use an additional OU in AD UC and move the users there, now
>>>> you
>>>> can create and link a new GPO here. Also do not apply GPOs on domain
>>>> level,
>>>> always built your own OU structure, so you can separate all needs.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>
>>>>
>>>>> I have a group policy that applies to all users on the domain. I want
>>>>> to create another group policy with less restrictions for a specific
>>>>> set of users. How do I go about doing this?
>>>>>
>>>
>>>
>>> Thanks for this. So if I create a new OU in ADC, move specific users to
>>> here, do I just create a brand new policy for them? Or can I use teh
>>> current policy and create a 2nd one as well? Is there a heirarchy of
>>> policies within an OU?
>>>
>>
>> Did you create a separate GPO at the domain level, or did you alter the
>> Default Domain Policy GPO? Assuming you did not alter the Default Domain
>> Policy (which is recommended not to touch it), as Meinolf stated, you
>> simply
>> create an OU, move your users into and unlink the additional policy you
>> created at the domain level, but now link it to the new OU you created.
>> If
>> you have different settings for different users, create additional OUs
>> with
>> their own new GPOs with the different settings.
>>
>> If you had altered the default Domain Policy, I would suggest to remove
>> the
>> changes made in that policy (since it should be left alone), and create
>> the
>> GPOs you need for the OUs you would create for the users that need
>> different
>> settings.
>>
>> There is no 'hierarchy' of GPOs, rather just a list of GPOs. The
>> hierarchy
>> is the OU structure, which you design and create for both organizing your
>> objects (computers, users, groups and other objects), as well as for GPO
>> applying and flow.
>>
>> Take a look at the following, which may help:
>>
>> Intro to GPOs
>> http://www.fekay.com/supportblogs/IntroToGPOs.HTML
>>
>> GPO Inheritance
>> http://www.fekay.com/supportblogs/gpoflow.jpg
>
> Thanks again. I did change the default GPO but will reset this back to
> default and follow your post.
>
> Thanks all

You are welcome!

Ace

 

[DaveMills]

On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
wrote:

>Hello Allen,
>
>You can also link existing GPOs to the new OU. Additional you can create
>multiple policies without any problem.
>
>There is a link order how they are applied:
>"Changing the link order
>Within each domain, site, and organizational unit, the link order controls
>when links are applied. To change the precedence of a link, you can change
>the link order, moving each link up or down in the list to the appropriate
>location. The link with the higher order (with 1 being the highest order)
>has the higher precedence for a given site, domain, or organizational unit.
>For example, if you add six GPO links and later decide that you want the
>last one that you added to have highest precedence, you can move the GPO
>link to the top of the list. "

It is worth adding here that the "precedence" is implemented by setting the
order that the GPOs are applied. That is, the lowest "precedence" will be
applied first and then the second lowest. Each GPO will therefore be able to
"overwrite" the setting of the lower "precedence" GPO applied before it.

However it is also possible to "Block Inheritance" for an OU which prevents
policies from higher OU or the domain from inheriting down to the lower OU or to
"Enforce" an OU link which forces its setting to be maintained and prevents the
setting of a later (higher precedence) link from changing its settings.

>
>Best regards
>
>Meinolf Weber
>Disclaimer: This posting is provided "AS IS" with no warranties, and confers
>no rights.
>** Please do NOT email, only reply to Newsgroups
>** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS]
>> wrote:
>>
>>> Hello Allen,
>>>
>>> You have to use an additional OU in AD UC and move the users there,
>>> now you can create and link a new GPO here. Also do not apply GPOs on
>>> domain level, always built your own OU structure, so you can separate
>>> all needs.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers
>>> no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I have a group policy that applies to all users on the domain. I
>>>> want to create another group policy with less restrictions for a
>>>> specific set of users. How do I go about doing this?
>>>>
>>>> No mercy for what we are doing
>>>> No thought to even what we have done
>>>> We don't need to feel the sorrow
>>>> No remorse for the helpless one
>>>> Metallica - No Remorse
>> Thanks for this. So if I create a new OU in ADC, move specific users
>> to here, do I just create a brand new policy for them? Or can I use
>> teh current policy and create a 2nd one as well? Is there a heirarchy
>> of policies within an OU?
>>
>> It's easy to lay down and hide
>> Where's the warrior without his pride?
>> Adam and The Ants - Dog Eat Dog
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

 

[Ace Fekay [MCT]]

"DaveMills" wrote in message
news:8uc2e5huna9lm1hvoum87l6mqdirmb9bo1@4ax.com...
> On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
> wrote:
>
>>Hello Allen,
>>
>>You can also link existing GPOs to the new OU. Additional you can create
>>multiple policies without any problem.
>>
>>There is a link order how they are applied:
>>"Changing the link order
>>Within each domain, site, and organizational unit, the link order controls
>>when links are applied. To change the precedence of a link, you can change
>>the link order, moving each link up or down in the list to the appropriate
>>location. The link with the higher order (with 1 being the highest order)
>>has the higher precedence for a given site, domain, or organizational
>>unit.
>>For example, if you add six GPO links and later decide that you want the
>>last one that you added to have highest precedence, you can move the GPO
>>link to the top of the list. "
>
> It is worth adding here that the "precedence" is implemented by setting
> the
> order that the GPOs are applied. That is, the lowest "precedence" will be
> applied first and then the second lowest. Each GPO will therefore be able
> to
> "overwrite" the setting of the lower "precedence" GPO applied before it.
>
> However it is also possible to "Block Inheritance" for an OU which
> prevents
> policies from higher OU or the domain from inheriting down to the lower OU
> or to
> "Enforce" an OU link which forces its setting to be maintained and
> prevents the
> setting of a later (higher precedence) link from changing its settings.
>

Dave, just to add, as a visual aid, without the GPMC installed, when looking
at an OU's properties, Group Policy tab, if there are more than one GPO in
the list, they fire from the bottom up. In the GPMC, it's stated by their
numerical order.

Ace

 

[DaveMills]

On Fri, 23 Oct 2009 01:27:16 -0400, "Ace Fekay [MCT]"
wrote:

>"DaveMills" wrote in message
>news:8uc2e5huna9lm1hvoum87l6mqdirmb9bo1@4ax.com...
>> On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
>> wrote:
>>
>>>Hello Allen,
>>>
>>>You can also link existing GPOs to the new OU. Additional you can create
>>>multiple policies without any problem.
>>>
>>>There is a link order how they are applied:
>>>"Changing the link order
>>>Within each domain, site, and organizational unit, the link order controls
>>>when links are applied. To change the precedence of a link, you can change
>>>the link order, moving each link up or down in the list to the appropriate
>>>location. The link with the higher order (with 1 being the highest order)
>>>has the higher precedence for a given site, domain, or organizational
>>>unit.
>>>For example, if you add six GPO links and later decide that you want the
>>>last one that you added to have highest precedence, you can move the GPO
>>>link to the top of the list. "
>>
>> It is worth adding here that the "precedence" is implemented by setting
>> the
>> order that the GPOs are applied. That is, the lowest "precedence" will be
>> applied first and then the second lowest. Each GPO will therefore be able
>> to
>> "overwrite" the setting of the lower "precedence" GPO applied before it.
>>
>> However it is also possible to "Block Inheritance" for an OU which
>> prevents
>> policies from higher OU or the domain from inheriting down to the lower OU
>> or to
>> "Enforce" an OU link which forces its setting to be maintained and
>> prevents the
>> setting of a later (higher precedence) link from changing its settings.
>>
>
>Dave, just to add, as a visual aid, without the GPMC installed, when looking
>at an OU's properties, Group Policy tab, if there are more than one GPO in
>the list, they fire from the bottom up. In the GPMC, it's stated by their
>numerical order.
Does anyone try doing GP without the GPMC, they have to be masochists!
I forgot that the GPMC can sort ascending and descending so yes precedence
numeric order and firing order by reverse numeric order.

>
>Ace
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.