[itdiscuss] Group policy statement

Thu Nov 19 13:35:18 EST 2009

You generally only want to apply any filtering (or item level targeting fo GP Preferences) to a very small OU.

ie: have a nested OU structure like this:

Desktops >> Central Offices >> Building 1 >> Accounting

There would be a GPO with no filtering attached to each level for applying things specific to all machines down to the specific group of machines. Any filtering/targetting would only happen at the last level - Accounting in my example - since filtering is more resource intensive and sometimes needs LDAP or WMI queries.

The design and hierarchy is very important from a performance perspective, especially in a larger network. There are often 5 ways to do the same thing in group policy, but each varies vastly in performance.

-Derek Schwab

On Nov 19, 2009, at 1:06 PM, "Bobby Stewart" <bStewart at brentwoodbaptist.com<mailto:bStewart at brentwoodbaptist.com>> wrote:

Yes, you can but my experience with this is that it’s tedious and sometimes unpredictable (or at least not as easy to manage the results). We use the OU method with servers in their own OU separate from all other systems. We’ve done the same for systems that are portable (notebooks, tablets, etc.) vs. desktops, Windows XP vs. Vista vs. Win7 (at one time an issue for our antivirus automated deployment) as well as separating users in OUs for different policy applications. It’s a great tool!

Bobby Stewart
Network Analyst
Brentwood Baptist Church
Brentwood, TN
WWW.BrentwoodBaptist.com<http://WWW.BrentwoodBaptist.com>
(615) 324-6149 office
(615) 830-0012 cell

From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Michael Sainz
Sent: Thursday, November 19, 2009 11:50 AM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Group policy statement

You can scope your GPO’s appropriately using Security Filtering.

michael|sainz
information technology coordinator | sunset presbyterian church<http://www.sunsetpres.org/>
<mailto:michaelsainz at sunsetpres.org>michaelsainz at sunsetpres.org<mailto:michaelsainz at sunsetpres.org> | twitter.com/michaelsainz<http://twitter.com/michaelsainz> | Blog<http://www.iamdigerati.com/>

"We listen to worship music, while the rest of the world listens to hip hop and pop. We talk about history, while the rest of the world talks about reality. We use bulletins, while the rest of the world is on Facebook." -Tony Morgan

From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com<mailto:blloyd at buskercom.com>
Sent: Thursday, November 19, 2009 8:14 AM
To: discuss at itdiscuss.org
Subject: Re: [itdiscuss] Group policy statement

Yep.  Just setup the policy for the OU(s) that your workstations are in and make sure there aren’t any servers in the same OU(s).  Keep in mind that you can link GPOs to more than one OU.

Bill Lloyd
IT Manager
<image001.jpg>

2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604 Ext.: 250
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com<mailto:blloyd at buskercom.com>
This email and any accompanying attachments may contain confidential and proprietary information. If you are not the intended recipient, you are requested to delete this entire communication immediately. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any problems that may result from emails you receive.
From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Steve Huffman
Sent: Thursday, November 19, 2009 10:43 AM
To: IT Discussion Forum
Subject: [itdiscuss] Group policy statement

Is there a way to force autoupdates on your workstations but exempt your servers in group policy? I don’t want my servers to reboot on their own ☺

Steve

Steve Huffman
Network Administrator
Blackhawk Church
shuffman at blackhawkchurch.org<mailto:shuffman at blackhawkchurch.org>
www.BlackhawkChurch.org<http://www.BlackhawkChurch.org>
608.828.4200

<ATT00001..txt>