RE: [ActiveDir] AD Question for your peers-GPO

[deji]

You can block the Policy/Policies at that OU.
 
I usually pre-create my computer accounts in the proper OU before joining
them to the domain. That way, I don't have to clean up any "default"
OU/container after the fact.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Wed 10/5/2005 2:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Question for your peers-GPO


But my default is an OU, I used the redircmp utility to redirect the default
location to an OU, not a container.

Mark Parris <[EMAIL PROTECTED]> wrote: 

        This my default is a container not an OU, so the GPO does not apply.
        
        Mark
        -----Original Message-----
        From: Frank Abagnale 
        Date: Wed, 5 Oct 2005 00:46:53 
        To:ActiveDir@mail.activedir.org
        Subject: RE: [ActiveDir] AD Question for your peers-GPO
        
        I have exactly that, a Servers OU and a Clients OU which I put my
Workstations/Servers into. 
        
        But the default OU I am talking about is where all the computers go
to when they are first added to the domain. They are then manually moved to
the respective OU once a week. 
        
        thanks anyway 
        
        [EMAIL PROTECTED] wrote: Easiest way: put the servers in one OU and
the non-servers in another OU.
        Then create one policy for each OU.
        
        There are other ways, like adding the servers to a security group and
        filtering your policy by group membership. The separate OU formula is
easier
        - IMO.
        
        
        Sincerely,
        
        Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
        Microsoft MVP - Directory Services
        www.readymaids.com - we know IT
        www.akomolafe.com
        Do you now realize that Today is the Tomorrow you were worried about
        Yesterday? -anon
        
        ________________________________
        
        From: [EMAIL PROTECTED] on behalf of Frank Abagnale
        Sent: Tue 10/4/2005 6:54 AM
        To: ActiveDir@mail.activedir.org
        Subject: RE: [ActiveDir] AD Question for your peers-GPO
        
        
        What would I do in this situation
        
        One OU which all Computers join when they are added to the domain
        
        I have two Global Groups 1=WSAdmins and 2=SVRAdmins. These two groups
do not
        contain the same users.
        
        Now, I want to ensure that when I set a Restricted Policy, only the
WSAdmins
        are listed in the Local Admins group on the Workstations and
SVRAdmins is
        only a member of the local Administrators group on the Servers in the
default
        OU
        
        Is this possible? From how I see it, if a restricted group is set on
an OU,
        then any computer which is a member of this OU receives this setting.
        
        Sorry, this has always confused me, which is why I went for the
scripted
        option on startup.
        
        thanks
        
        Frank
        
        [EMAIL PROTECTED] wrote:
        
        Correct.
        
        
        Sincerely,
        
        Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
        Microsoft MVP - Directory Services
        www.readymaids.com - we know IT
        www.akomolafe.com
        Do you now realize that Today is the Tomorrow you were worried about
        Yesterday? -anon
        
        ________________________________
        
        From: [EMAIL PROTECTED] on behalf of Frank Abagnale
        Sent: Tue 10/4/2005 12:29 AM
        To: ActiveDir@mail.activedir.org
        Subject: RE: [ActiveDir] AD Question for your peers-GPO
        
        
        Deji,
        
        I may sound real stupid asking this, but if I add Administrators to
        the
        Member Of attribute, how can I make sure this is only "local
        Administrators"
        e.g Local Workstations or Local member servers and not the builtin
        Administrators group (the one with Domain Admin permissions)
        
        Is this because the restricted groups GPO is only applied to the
        ClientsOU?
        and not at DDP level?
        
        thanks
        
        frank
        
        
        
        
        
        [EMAIL PROTECTED] wrote:
        
        Brian,
        
        the "wipe and load" behavior is a thing of the past with the
        introduction of
        the new "MemberOf" attribute. Here's a short reply I posted on
        another list a
        while back.
        
        Another option is to use the "MemberOf" option in a "Restricted
        Groups" GPO.
        Say the group is called GrpA and you want it to be a member of the
        administrators group in every client in ClientsOU. You will create
        and apply
        a group policy to ClientsOU. In that policy, you will create a
        restricted
        group object, by adding GrpA. Then in the properties, you will choose
        the
        "this group is a member of:" and type in "administrators".
        
        By doing the above, the existing members of the "administrators"
        group are
        not removed. The process will simply append GrpA to the membership
        list on
        "administrators".
        
        HTH
        
        
        Sincerely,
        
        Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
        Microsoft MVP - Directory Services
        www.readymaids.com - we know IT
        www.akomolafe.com
        Do you now realize that Today is the Tomorrow you were worried about
        Yesterday? -anon
        
        ________________________________
        
        From: [EMAIL PROTECTED] on behalf of Brian Desmond
        Sent: Mon 10/3/2005 4:14 PM
        To: ActiveDir@mail.activedir.org
        Cc: '# Jose Medeiros-IBM (E-mail)'
        Subject: RE: [ActiveDir] AD Question for your peers-GPO
        
        
        
        Yes. You want to use the Restricted Groups function in the computer
        config
        area. Be aware it is a replacement not a merge, so, things already in
        there
        will get blasted
        
        
        Thanks,
        Brian Desmond
        [EMAIL PROTECTED]
        
        c - 312.731.3132
        
        
        
        -----Original Message-----
        From: [EMAIL PROTECTED]
        [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros,
        Jose
        Sent: Monday, October 03, 2005 4:12 PM
        To: activedir@mail.activedir.org
        Cc: # Jose Medeiros-IBM (E-mail)
        Subject: [ActiveDir] AD Question for your peers-GPO
        
        
        We have three child domains off our root domain and basically we want
        to add
        a global or universal group ( We are in Native mode on AD 2003) to
        the local
        admin group on member servers & workstations in a child domain, every
        time a
        new computer account is to AD. Is this possible using a GPO?
        ( Please read the message below )
        
        Jose :-)
        
        > -----Original Message-----
        > From: Ebias, Danilo 
        > Sent: Monday, October 03, 2005 11:57 AM
        > To: Medeiros, Jose
        > Subject: AD Question for your peers
        >
        > Jose,
        > Could you check with your peers about how we could define a group
        policy that would add a universal group or global group automatically
        into
        the local admin group of computers into a specific OU? I remember
        reading
        that this is possible, but I can't find any documentation about it.
        >
        >
        > Thanks,
        > dan
        >
        > Danilo Ebias, Jr.
        > ADP | National Account Services
        > ProBusiness Division | Information Services
        > 925.737.7035
        >
        
        List info : http://www.activedir.org/List.aspx
        List FAQ : http://www.activedir.org/ListFAQ.aspx
        List archive:
        http://www.mail-archive.com/activedir%40mail.activedir.org/
        
        List info : http://www.activedir.org/List.aspx
        List FAQ : http://www.activedir.org/ListFAQ.aspx
        List archive:
        http://www.mail-archive.com/activedir%40mail.activedir.org/
        
        
        List info : http://www.activedir.org/List.aspx
        List FAQ : http://www.activedir.org/ListFAQ.aspx
        List archive:
        http://www.mail-archive.com/activedir%40mail.activedir.org/
        
        
        ________________________________
        
        Yahoo! for Good
        Click here to donate to the
        Hurricane Katrina relief effort. 
        List info : http://www.activedir.org/List.aspx
        List FAQ : http://www.activedir.org/ListFAQ.aspx
        List archive:
        http://www.mail-archive.com/activedir%40mail.activedir.org/
        
        
        ________________________________
        
        Yahoo! for Good
        Click here to donate to the
        Hurricane Katrina relief effort. 
        List info : http://www.activedir.org/List.aspx
        List FAQ : http://www.activedir.org/ListFAQ.aspx
        List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
        
        Yahoo! for Good
        Click here to donate to the Hurricane Katrina relief effort.
[EMAIL PROTECTED]
sSV«r¯yÊ&ý§-S÷S¾4(tm)¨¥iËb½çb®Sà

________________________________

Yahoo! for Good
Click here to donate <http://store.yahoo.com/redcross-donate3/>  to the
Hurricane Katrina relief effort. 
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/