The world's stupidest Geek Pop Quiz.
Mar. 15th, 2011 05:12 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
theweaselkingServer 2008.
Group Policies.
I want to apply a policy to all machines that are NOT domain controllers.
I do not want to manually create a group of "all non-domain controllers", because then I have to update that group when I create a new machine.
How do I link a GPO such that either there is a list of machines that it DOES NOT apply to, or block inheritance of a specific GPO to a specfic group ("Domain Controllers"), or create a self-updating group of "all machines that are not members of the Domain Controller group"?
This HAS to be easy.
EDIT: Wow, that took about ten seconds, proving that ASKING a dumb question is the easiest way to find an answer.
Select DC group, "block inheritance", manually link any GPOs that should be applied to the DCs specifically inside the DC group, which is probably a better idea ANYWAY. Yes, I will now have to manually link any new truly domain-wide GPOs to both workstations AND the DCs separately, but I do not consider that a large problem.
Is there a way to automatically link a GPO to all-non-DC computers? That would be a better solution *still*, allowing me to have DC-specific policies, workstation-specific policies, and domain-wide policies all sorted independently with no policy linked from two different places.
Group Policies.
I want to apply a policy to all machines that are NOT domain controllers.
I do not want to manually create a group of "all non-domain controllers", because then I have to update that group when I create a new machine.
How do I link a GPO such that either there is a list of machines that it DOES NOT apply to, or block inheritance of a specific GPO to a specfic group ("Domain Controllers"), or create a self-updating group of "all machines that are not members of the Domain Controller group"?
This HAS to be easy.
EDIT: Wow, that took about ten seconds, proving that ASKING a dumb question is the easiest way to find an answer.
Select DC group, "block inheritance", manually link any GPOs that should be applied to the DCs specifically inside the DC group, which is probably a better idea ANYWAY. Yes, I will now have to manually link any new truly domain-wide GPOs to both workstations AND the DCs separately, but I do not consider that a large problem.
Is there a way to automatically link a GPO to all-non-DC computers? That would be a better solution *still*, allowing me to have DC-specific policies, workstation-specific policies, and domain-wide policies all sorted independently with no policy linked from two different places.
(no subject)
Date: 2011-03-15 11:46 pm (UTC)I figured out a while back this is because far too many people can't see the totally obvious.
and of course once you get it, you feel totally dumb for not seeing it immediately
[then things go wrong when people refuse to see the obvious precisely because they don't want to feel dumb]
(no subject)
Date: 2011-03-16 07:34 am (UTC)Domain Controllers have their own OU (a builtin one). Computers should have their own OU. Infact - go OU crazy.
e.g a basic, but fairly standard OU distribution would be;
All Company Accounts
All Company Accounts\All Company Computer Accounts
All Company Accounts\All Company Computer Accounts\Vancouver
All Company Accounts\All Company Computer Accounts\Vancouver\Servers
All Company Accounts\All Company Computer Accounts\Vancouver\Terminal Servers
All Company Accounts\All Company Computer Accounts\Vancouver\Desktops
All Company Accounts\All Company Computer Accounts\Vancouver\Laptops
All Company Accounts\All Company Computer Accounts\Ontario
All Company Accounts\All Company Computer Accounts\Ontario\Servers
All Company Accounts\All Company Computer Accounts\Ontario\Terminal Servers
All Company Accounts\All Company Computer Accounts\Ontario\Desktops
All Company Accounts\All Company Computer Accounts\Ontario\Laptops
etc.
Create and apply a group policy on the OU container that contains the objects you want them to apply to. If you have policies that should apply to all machines, apply it further up the tree. If you have policies that only need to apply to laptop users in Ontario (or better still, sub-ou's like Sales People in Ontario on Laptops), then only apply it at that OU container level.
This is fairly basic stuff when it comes to AD and Group Policy - I *highly* suggest reading the course work for Active Directory Design, Implementation and Maintenance (I did the 2003 material AGES ago) - it goes through a lot of basic stuff like this, and gets your head around best practice.
another topic that seems pretty relevant;
http://technet.microsoft.com/en-us/library/bb727085.aspx#EFAA - Best Practice Active Directory Design for Managing Windows Networks (Creating an Organizational Unit Design)
In terms of "what can i break if i just go playing around and sorting everything into logical OU's right now", you have;
* Existing Group Policy.
* LDAP aware applications that login, search for specific OU's
And thats pretty much it.
(no subject)
Date: 2011-03-16 03:26 pm (UTC)They do, and they do - but I can't see the "Computers" builtin OU in the Group Policy Management console, for some reason. That was my very first thought.
Thing is, this is a network with eight machines, total. Well, ten if you count the IDS and HIDS systems, which aren't Windows and aren't on the domain per se.
There will *never* be a laptop (or other portable machine) on this network. There will *never* be a machine with a non-standard policy set on this network. There *must* never be a machine that does not have all the correct desktop policies applied to it. It's a requirement for PCI compliance.
I am *not* necessarily the person who will be creating the machines, and adding "add this machine to the desktop machines OU" to the machine setup checklist is not something I can GUARANTEE will be done every time.[1]
The machine will definitely be on the domain (or it won't have any network access at all), and everything else *except* OU membership is done automatically - the AV controller will detect the machine and forcibly push the AV client to it. The local administrator accounts are renamed and passwords reset by group policy. Printers are deployed by policy. The required application paths are pushed by group policy. The network folders are set on user login. The HIDS detects new machines, deploys the agent, and starts monitoring automagically.
So I either need a way to
A) apply policies directly to the Computers OU from the Management Console, which I don't see, although I could just be blind.
B) create a rule such that all new Computers are added to a specific OU without intervention
C) Use domain-wide GPs to hit the desktops, and don't apply them to the DCs. Which is what I've done, by blocking policy inheritance to the DC OU. Which, yes, is sub-ideal, but which WORKS.
[1]: Do NOT get me started on exactly how bad this statement is. Believe me, I know.
(no subject)
Date: 2011-03-16 10:08 pm (UTC)The feature you want for redirecting new machines to a specific OU is here - http://support.microsoft.com/kb/324949/en-us
C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com
The only reason i'm against blocking inheritance is basically for future use. Generally stuff like this when you start troubleshooting is long forgotten and will only see to drive you (or some other poor bastard) to absolute madness trying to work it out.
(no subject)
Date: 2011-03-17 02:34 am (UTC)While I totally understand not wanting to block inheritance, we're talking about a small domain that is always going to be a small domain, where the GP console changes the icon in a MASSIVE FLASHING WAY when inheritance is blocked, and where the "check results of policy as applied to X machine" tells you which policies are applied and how.
So I'm not TOO worried about that in the future.
But I really wanted to guarantee that all desktop policies would be applied in full to all desktop machines NO MATTER WHAT, while letting me exempt the DC from "U CAN NOT HAZ USB" without creating a pro-USB DC-only policy and relying on it to win the conflict.