1

I’m pretty confident in my own answer on this but since people in my department having differing opinions I would like some SpiceHeads to weight in. I have researched this online and everything I have came across also agrees with my assumptions, but I just want some confirmation.

If you have a GPO above an OU with only users in it, the only settings in GPO that are applied or looked at are the ones in the User Configuration?

If you have a GPO above an OU with only computers in it, the only settings in GPO that are applied or looked at are the ones in the Computer Configuration? Unless Loopback is turned on in which case any user that logs into computer under GPO will get any User Configuration settings that are in any GPO that computer sees.

6 Spice ups
2

You are very correct sir :slight_smile:

Because of those things I am actually in the process of remodelling our OU structure, because our computer accounts are divided for OUs by floors and our user accounts by staff positions, which makes it impossible to apply GPOs which contain both user and computer policies to anyone.

1 Spice up
3

Exactly correct. Loopback just forces user settings to be applied along with computer settings.

4

Interesting. Can you give an example of how you are structuring your OU to accommodate this?

5

me ? OUs within OUs for now as a quick fix. In example I have OU AdministrativeTeam with about 40 people in it, split over 9 floors, so I’m going to create 9 OUs inside AdministrativeTeam, one for each floor.

It’s not a perfect fix though, as it will require a lot a relinking, so what I want to go for in the end is switching user OUs completely over to floor divisions and set staff position based GPOs via security groups (it’ll just take a while until I create them all and add everyone to the correct group, so I’m applying the quick fix first :slight_smile: )

not sure if there’s a better solution for that kind of thing

6

Don’t forget that there are plenty of other filtering methods to make sure only certain people or devices get a GPO applied. I also separate the management of my Computers and Users, but if I need to set a policy on a group like my Student Laptop Users, I can filter by security group to apply to Students and Filter by WMI to “Has a Battery”. Making a Single Policy located at the top applying only to the Students using laptops, but not applying when they are using desktops.

7

Errtus, are you putting computers and users in each of those floor division OUs?

I’ve been spending a lot of time evaluating our AD and GPO structure and how I can better (re)organize it to fit our needs which is why I have spent a significant amount of time in this forum lately. Ours is split by User OU and Computer OU. Under each of those is an OU indicating physical location (by state). It was this way when I got here.

After reading discussion like this, I’m thinking a more simplified structure would be to set up an OU for each location (4) and put all computers and their users in their respective location. Then, as needed, I can further segregate from there by department, etc. Right now, I think I prefer to minimize the OU structure and use security groups to micro-organize as needed.

8

I have attached some tools I have used since windows server 2000. The original site is no longer up, but I have kept these for quite a while. I learned about them from Classlink. They used them when setting up a terminal server farm years ago.

The tool you would want is igrant. I use it to grant myself access to user home directories that are owned by the user.

You can change the owner, add or remove permissions, ect.

There is a doc in the zip with the syntax of all the tools:

igrant, irevoke, setowner, sharegrant, sharelistacl, sharerevoke, and swapacl

ntsec.zip (987 KB)

9

No, currently I have separate OUs - Computers are ‘workstations’ and then sites divisions and then floor divisions, users are in completely separate OUs which are divided by staff positions, and that’s the only division they have at the moment. i’m making floor/site divisions inside them for now, but that will still require to apply each policy to a floor OU in each staff position.

What I want to have is a separate computer and user OUs, with site and floor divisions inside and then staff position GPOs will be applied via security groups instead of OUs. I don’t really have much experience in planning, but I think I have a pretty sensible idea.Mike P. wrote:

I have attached some tools I have used since windows server 2000. The original site is no longer up, but I have kept these for quite a while. I learned about them from Classlink. They used them when setting up a terminal server farm years ago.

The tool you would want is igrant. I use it to grant myself access to user home directories that are owned by the user.

You can change the owner, add or remove permissions, ect.

There is a doc in the zip with the syntax of all the tools:

igrant, irevoke, setowner, sharegrant, sharelistacl, sharerevoke, and swapacl

awesome, thanks ! that will also come in handy as I’ve written a script that changes the permissions according to needs on folder groups, but I couldn’t find anything that will change folder ownerships properly, will try those out :slight_smile:

10

NTFSFix is pretty good. As long as your users folders follow the same naming convention as your users do.

11

seems cool, too bad i finished writing a script that does exactly the same thing yesterday :slight_smile:

12

Did you upload the script to Sipceworks? I would like to see it…