Obviously it won’t work if it’s the DDP, but I question the choice. Make it a
standalone policy so it’s easily identified and removed if required. Even if
machines are in dozens of OUs, an update to each one takes a few minutes total.
That’s one thing I’ve always hated about the way AD works. Whatever the default
container is can’t get anything besides the default policy. And even if you
change where the default gets created, it just changes that to a container
instead of an OU so you’re still in the same boat.
If you’re running 2012 servers I’d recommend you go to at least 8.1 for your
workstation, so you can run the RSAT tools. Even if it means you have to
virtualize one just for a management workstation.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Leone
Sent: Wednesday, June 28, 2017 11:26 AM
To: [email protected]
Subject: Re: [NTSysADM] Using GPP to fight Petya
On Wed, Jun 28, 2017 at 10:59 AM, Melvin Backus
<[email protected]<mailto:[email protected]>> wrote:
From GPMC select the OU, right click, Group Polcy Update.
I don't see this option in my GPMC (Win 7 Pro). I see it on GPMC from a Win2012
R2 server ...
Part of the problem is, I set those changes to the Default Domain Policy, which
isn't in an OU. And there's no such option at the domain level.
Still, I can push it to the servers, which are all in 1 OU. Since I do my GPOs
from my Win 7 machine, I didn't know this option existed. Thanks!
It isn’t immediate on all systems but it will happen within the next 10-15
minutes as it staggers them to avoid swamping the server.
