Cleaning up Group Policy and Moving PCs to new OU?

mkansagra · 2020-01-24T20:47:49.000Z

I am also new to the GPOs a little bit. Only times I’ve ever worked on them was when everything was already setup properly and compartmentalized. I want to create an OU for PCs separately. For example, Engineering, Quality Engineering, Manufacturing etc.

Would the default domain policy still apply even if I move the PCs to a different OU like PC settings, user configurations? and then I will create new policies under those new OUs pertaining to the departments.

I just started working at this place and I saw that GPOs are a bit messy. Previous person didn’t even bother removing old/unused GPOs or even creating OU for PCs. You can see in the picture how it’s a bit everywhere.

Thank you already for the help. I am loving the community and learned a lot over the years. Definitely my go to place.

gerardbeekmans · 2020-01-24T20:53:04.000Z

Your Default Domain Policy is linked at the top/root of your domain so it will apply to everything below it, regardless of which OU it is in.

You can then link a GPO to a specific OU to override settings as needed. This way a domain linked policy can act like your default policy until a more specific policy applies instead. This is how that default domain controller policy works. It overrides settings from the default domain one to make them better suited for DCs.

Similarly your RemoveLocalAdmins policy only applies to computers in the JAKTOOL_OU OU (the name of the OU containing “ou” is a bit redundant. I’d rename it).

mkansagra · 2020-01-24T20:56:51.000Z

Yes. That is a useless OU anyways that I plan on deleting. They were testing I believe and created tons of OUs and users so cleaning up now.

Thank you very much for the reply. I appreciate it.

jitensh · 2020-01-25T01:43:30.000Z

That looks good,

GPO applies from top to bottom.

For example, any policy under default domain policy-> default domain policy will apply.

Unless Block Inheritance - Stops containers inheriting policies from parent containers

SearchWindowsServer

What is Group Policy Object (GPO) and Why is it Important?

This definition explains Microsoft's Group Policy Object (GPO), types of GPOs and how they work with data security. It also covers benefits, limitations and examples of GPOs, as well as best practices for administrators.

scheff1 · 2020-01-26T13:59:15.000Z

MKansagra:

Yes. That is a useless OU anyways that I plan on deleting. They were testing I believe and created tons of OUs and users so cleaning up now.

Nobody assessed it as useless nor for being limited to testing, except you. You need some concept (hopefully documented). And that concept may determin which kind of bindings or policies might be useless, which might be only limited to migration or only limited to some testing. I’m (currently) no expert in GPO and Microsoft offers various tutorials on concepts and learning material how to map concepts to GPOs.

What I couldn’t see in your sample is why forest was chosen as a structuring component. (It usually doesn’t hurt.)

MKansagra:

OCD in me says that it looks nicer.

The subject of GPO structuring isn’t about beauty but about concepts. I don’t know but it seems to me that you didn’t yet understand the options of structuring available. I agree that as long as an organisation can be satisfied by simple structuring, this is preferred. So I can’t tell if you’ll need entries for every OU your organisation has. And why do you use an organisational entry at the same level as a device category entry?