I am interested in the comment that OU's are a better way to manage Policies than using group based filtering. Is this for performance reasons, management reasons or safety reasons?
I could see a very small improvement in performance, using OU's is a little easier to see what is going on and it is a little safer since if you make a mistake it only messes up the servers in that OU. In this case the main argument for using a separate OU would seem safety but I wonder if I have missed something? I personally would probably use group filtering, especially since it is only for testing. We tend to use OU's to delegate management of the workstations. We have a single domain managed centrally, but delegate day to day management to staff in the region. If you are in Eastern region, you go in the Eastern OU's and the Eastern staff manage you. I find managing policies by OU much more of a headache than using Group Filtering. If you have one policy, you only need two OU's. However, if you have 5 policies, you need (potentially) 32 groups to cover every permutation. 5 groups can be used to manage 5 policies and if you use a name to make clear it is only for Policy management, it is all pretty easy to follow. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/adm_summary.shtml ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, April 04, 2004 3:50 AM Subject: RE: [ActiveDir] Testing other GPO's to DC's Yes, this would be my preference as well. Avoid group based filtering. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, March 31, 2004 10:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Testing other GPO's to DC's or create a sub-ou underneath the domain controllers OU which you link the GPO to. then put those DCs into the sub-OU. not only good for testing purposes... /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Mittwoch, 31. M�rz 2004 19:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Testing other GPO's to DC's Yes, that's exactly it. Grant those specific DCs the Read and Apply Group Policy rights on the GPO. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, March 31, 2004 12:08 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Testing other GPO's to DC's Hi, I'm sure this has been covered in previous posts but how can I create a GPO object and link it to the Domain Controllers OU but only apply it to a couple of domain controllers for testing purposes? Is it removing the authenticated users group and adding the specific domain controllers to the ACL's? Thanks, _________________________________________________________________ Check out MSN PC Safety & Security to help ensure your PC is protected and safe. http://specials.msn.com/msn/security.asp List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
