Re: Group Policies

Hello Allen,

You can also link existing GPOs to the new OU. Additional you can create
multiple policies without any problem.

There is a link order how they are applied:
"Changing the link order
Within each domain, site, and organizational unit, the link order controls
when links are applied. To change the precedence of a link, you can change
the link order, moving each link up or down in the list to the appropriate
location. The link with the higher order (with 1 being the highest order)
has the higher precedence for a given site, domain, or organizational unit.
For example, if you add six GPO links and later decide that you want the
last one that you added to have highest precedence, you can move the GPO
link to the top of the list. "

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS]
> wrote:
>
>> Hello Allen,
>>
>> You have to use an additional OU in AD UC and move the users there,
>> now you can create and link a new GPO here. Also do not apply GPOs on
>> domain level, always built your own OU structure, so you can separate
>> all needs.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I have a group policy that applies to all users on the domain. I
>>> want to create another group policy with less restrictions for a
>>> specific set of users. How do I go about doing this?
>>>
>>> No mercy for what we are doing
>>> No thought to even what we have done
>>> We don't need to feel the sorrow
>>> No remorse for the helpless one
>>> Metallica - No Remorse
> Thanks for this. So if I create a new OU in ADC, move specific users
> to here, do I just create a brand new policy for them? Or can I use
> teh current policy and create a 2nd one as well? Is there a heirarchy
> of policies within an OU?
>
> It's easy to lay down and hide
> Where's the warrior without his pride?
> Adam and The Ants - Dog Eat Dog
>

On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
<meiweb@(nospam)gmx.de> wrote:

>Hello Allen,
>
>You can also link existing GPOs to the new OU. Additional you can create
>multiple policies without any problem.
>
>There is a link order how they are applied:
>"Changing the link order
>Within each domain, site, and organizational unit, the link order controls
>when links are applied. To change the precedence of a link, you can change
>the link order, moving each link up or down in the list to the appropriate
>location. The link with the higher order (with 1 being the highest order)
>has the higher precedence for a given site, domain, or organizational unit.
>For example, if you add six GPO links and later decide that you want the
>last one that you added to have highest precedence, you can move the GPO
>link to the top of the list. "

It is worth adding here that the "precedence" is implemented by setting the
order that the GPOs are applied. That is, the lowest "precedence" will be
applied first and then the second lowest. Each GPO will therefore be able to
"overwrite" the setting of the lower "precedence" GPO applied before it.

However it is also possible to "Block Inheritance" for an OU which prevents
policies from higher OU or the domain from inheriting down to the lower OU or to
"Enforce" an OU link which forces its setting to be maintained and prevents the
setting of a later (higher precedence) link from changing its settings.

>
>Best regards
>
>Meinolf Weber
>Disclaimer: This posting is provided "AS IS" with no warranties, and confers
>no rights.
>** Please do NOT email, only reply to Newsgroups
>** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> On Wed, 21 Oct 2009 13:38:38 +0000 (UTC), Meinolf Weber [MVP-DS]
>> wrote:
>>
>>> Hello Allen,
>>>
>>> You have to use an additional OU in AD UC and move the users there,
>>> now you can create and link a new GPO here. Also do not apply GPOs on
>>> domain level, always built your own OU structure, so you can separate
>>> all needs.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers
>>> no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I have a group policy that applies to all users on the domain. I
>>>> want to create another group policy with less restrictions for a
>>>> specific set of users. How do I go about doing this?
>>>>
>>>> No mercy for what we are doing
>>>> No thought to even what we have done
>>>> We don't need to feel the sorrow
>>>> No remorse for the helpless one
>>>> Metallica - No Remorse
>> Thanks for this. So if I create a new OU in ADC, move specific users
>> to here, do I just create a brand new policy for them? Or can I use
>> teh current policy and create a 2nd one as well? Is there a heirarchy
>> of policies within an OU?
>>
>> It's easy to lay down and hide
>> Where's the warrior without his pride?
>> Adam and The Ants - Dog Eat Dog
>>
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

"DaveMills" <> wrote in message
news:...
> On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
> <meiweb@(nospam)gmx.de> wrote:
>
>>Hello Allen,
>>
>>You can also link existing GPOs to the new OU. Additional you can create
>>multiple policies without any problem.
>>
>>There is a link order how they are applied:
>>"Changing the link order
>>Within each domain, site, and organizational unit, the link order controls
>>when links are applied. To change the precedence of a link, you can change
>>the link order, moving each link up or down in the list to the appropriate
>>location. The link with the higher order (with 1 being the highest order)
>>has the higher precedence for a given site, domain, or organizational
>>unit.
>>For example, if you add six GPO links and later decide that you want the
>>last one that you added to have highest precedence, you can move the GPO
>>link to the top of the list. "
>
> It is worth adding here that the "precedence" is implemented by setting
> the
> order that the GPOs are applied. That is, the lowest "precedence" will be
> applied first and then the second lowest. Each GPO will therefore be able
> to
> "overwrite" the setting of the lower "precedence" GPO applied before it.
>
> However it is also possible to "Block Inheritance" for an OU which
> prevents
> policies from higher OU or the domain from inheriting down to the lower OU
> or to
> "Enforce" an OU link which forces its setting to be maintained and
> prevents the
> setting of a later (higher precedence) link from changing its settings.
>

Dave, just to add, as a visual aid, without the GPMC installed, when looking
at an OU's properties, Group Policy tab, if there are more than one GPO in
the list, they fire from the bottom up. In the GPMC, it's stated by their
numerical order.

Ace

On Fri, 23 Oct 2009 01:27:16 -0400, "Ace Fekay [MCT]"
<> wrote:

>"DaveMills" <> wrote in message
>news:.. .
>> On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
>> <meiweb@(nospam)gmx.de> wrote:
>>
>>>Hello Allen,
>>>
>>>You can also link existing GPOs to the new OU. Additional you can create
>>>multiple policies without any problem.
>>>
>>>There is a link order how they are applied:
>>>"Changing the link order
>>>Within each domain, site, and organizational unit, the link order controls
>>>when links are applied. To change the precedence of a link, you can change
>>>the link order, moving each link up or down in the list to the appropriate
>>>location. The link with the higher order (with 1 being the highest order)
>>>has the higher precedence for a given site, domain, or organizational
>>>unit.
>>>For example, if you add six GPO links and later decide that you want the
>>>last one that you added to have highest precedence, you can move the GPO
>>>link to the top of the list. "
>>
>> It is worth adding here that the "precedence" is implemented by setting
>> the
>> order that the GPOs are applied. That is, the lowest "precedence" will be
>> applied first and then the second lowest. Each GPO will therefore be able
>> to
>> "overwrite" the setting of the lower "precedence" GPO applied before it.
>>
>> However it is also possible to "Block Inheritance" for an OU which
>> prevents
>> policies from higher OU or the domain from inheriting down to the lower OU
>> or to
>> "Enforce" an OU link which forces its setting to be maintained and
>> prevents the
>> setting of a later (higher precedence) link from changing its settings.
>>
>
>Dave, just to add, as a visual aid, without the GPMC installed, when looking
>at an OU's properties, Group Policy tab, if there are more than one GPO in
>the list, they fire from the bottom up. In the GPMC, it's stated by their
>numerical order.
Does anyone try doing GP without the GPMC, they have to be masochists!
I forgot that the GPMC can sort ascending and descending so yes precedence
numeric order and firing order by reverse numeric order.

>
>Ace
>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Yes you should use GPMC

"DaveMills" <> wrote in message
news:...
> On Fri, 23 Oct 2009 01:27:16 -0400, "Ace Fekay [MCT]"
> <> wrote:
>
>>"DaveMills" <> wrote in message
>>news:. ..
>>> On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
>>> <meiweb@(nospam)gmx.de> wrote:
>>>
>>>>Hello Allen,
>>>>
>>>>You can also link existing GPOs to the new OU. Additional you can create
>>>>multiple policies without any problem.
>>>>
>>>>There is a link order how they are applied:
>>>>"Changing the link order
>>>>Within each domain, site, and organizational unit, the link order
>>>>controls
>>>>when links are applied. To change the precedence of a link, you can
>>>>change
>>>>the link order, moving each link up or down in the list to the
>>>>appropriate
>>>>location. The link with the higher order (with 1 being the highest
>>>>order)
>>>>has the higher precedence for a given site, domain, or organizational
>>>>unit.
>>>>For example, if you add six GPO links and later decide that you want the
>>>>last one that you added to have highest precedence, you can move the GPO
>>>>link to the top of the list. "
>>>
>>> It is worth adding here that the "precedence" is implemented by setting
>>> the
>>> order that the GPOs are applied. That is, the lowest "precedence" will
>>> be
>>> applied first and then the second lowest. Each GPO will therefore be
>>> able
>>> to
>>> "overwrite" the setting of the lower "precedence" GPO applied before it.
>>>
>>> However it is also possible to "Block Inheritance" for an OU which
>>> prevents
>>> policies from higher OU or the domain from inheriting down to the lower
>>> OU
>>> or to
>>> "Enforce" an OU link which forces its setting to be maintained and
>>> prevents the
>>> setting of a later (higher precedence) link from changing its settings.
>>>
>>
>>Dave, just to add, as a visual aid, without the GPMC installed, when
>>looking
>>at an OU's properties, Group Policy tab, if there are more than one GPO in
>>the list, they fire from the bottom up. In the GPMC, it's stated by their
>>numerical order.
> Does anyone try doing GP without the GPMC, they have to be masochists!
> I forgot that the GPMC can sort ascending and descending so yes precedence
> numeric order and firing order by reverse numeric order.
>
>>
>>Ace
>>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that
> don't.

"Paul Russell" <> wrote in message
news:310877A5-0AF5-4899-BB4C-...

I learned the old-fashioned method back in 1999, way before the GPMC came
out. It is kind of like admiring an old Ford Model T. :-)

So if I had to, it's no problem for me. Kind of like learning to use all the
shortcuts on a keyboard in the 'old DOS days. But I do realize that many who
never did it manually may not be comfortable with it. After all, you have to
keep track of the overall design in your mind or flow chart it out on paper
(or Visio) first to keep track of it.

:-)

Ace


> Yes you should use GPMC
>
> "DaveMills" <> wrote in message
> news:...
>> On Fri, 23 Oct 2009 01:27:16 -0400, "Ace Fekay [MCT]"
>> <> wrote:
>>
>>>"DaveMills" <> wrote in message
>>>news: ...
>>>> On Thu, 22 Oct 2009 07:57:04 +0000 (UTC), Meinolf Weber [MVP-DS]
>>>> <meiweb@(nospam)gmx.de> wrote:
>>>>
>>>>>Hello Allen,
>>>>>
>>>>>You can also link existing GPOs to the new OU. Additional you can
>>>>>create
>>>>>multiple policies without any problem.
>>>>>
>>>>>There is a link order how they are applied:
>>>>>"Changing the link order
>>>>>Within each domain, site, and organizational unit, the link order
>>>>>controls
>>>>>when links are applied. To change the precedence of a link, you can
>>>>>change
>>>>>the link order, moving each link up or down in the list to the
>>>>>appropriate
>>>>>location. The link with the higher order (with 1 being the highest
>>>>>order)
>>>>>has the higher precedence for a given site, domain, or organizational
>>>>>unit.
>>>>>For example, if you add six GPO links and later decide that you want
>>>>>the
>>>>>last one that you added to have highest precedence, you can move the
>>>>>GPO
>>>>>link to the top of the list. "
>>>>
>>>> It is worth adding here that the "precedence" is implemented by setting
>>>> the
>>>> order that the GPOs are applied. That is, the lowest "precedence" will
>>>> be
>>>> applied first and then the second lowest. Each GPO will therefore be
>>>> able
>>>> to
>>>> "overwrite" the setting of the lower "precedence" GPO applied before
>>>> it.
>>>>
>>>> However it is also possible to "Block Inheritance" for an OU which
>>>> prevents
>>>> policies from higher OU or the domain from inheriting down to the lower
>>>> OU
>>>> or to
>>>> "Enforce" an OU link which forces its setting to be maintained and
>>>> prevents the
>>>> setting of a later (higher precedence) link from changing its settings.
>>>>
>>>
>>>Dave, just to add, as a visual aid, without the GPMC installed, when
>>>looking
>>>at an OU's properties, Group Policy tab, if there are more than one GPO
>>>in
>>>the list, they fire from the bottom up. In the GPMC, it's stated by their
>>>numerical order.
>> Does anyone try doing GP without the GPMC, they have to be masochists!
>> I forgot that the GPMC can sort ascending and descending so yes
>> precedence
>> numeric order and firing order by reverse numeric order.
>>
>>>
>>>Ace
>>>
>> --
>> Dave Mills
>> There are 10 types of people, those that understand binary and those that
>> don't.
>