|
NinjaPablo posted:How 'granular' (not the word I'm looking for) should GPOs be? I've left our Group Policy alone since the guy who managed it left, and it seems to work. Looking at it now though, there's 49 GPOs listed, and this is for a network of 300 users. That seems like a bit of overkill. It may be overkill. Best practice in our organization has always been: Apply the fewest number of policies at the highest levels for maximum effect. Your OU structure should support this of course and if your OU structure is bad then you may very well need 50 policies to make everything work like you want quote:Whoa, seriously? Am I dreaming? Syano fucked around with this message at 14:45 on Sep 12, 2008 |
# ¿ Sep 12, 2008 14:42 |
|
|
# ¿ Apr 26, 2024 15:04 |
|
bob arctor posted:The printers are networked, but the users who use TS are not members of the same domain as the TS on their home networks. The printers of issue have drivers locally installed on the terminal services box it's beginning to look like that might be the issue. If the printers actually have their queues on a printer server somewheres else other than the terminal server, your users should only see printers to which they have attached themselves. Shared printers on other machines are actually part of a user's profile so they are specific to that user. If you set up the printers as direct IP printers as the administrator though, its as if the printer is a locally installed device and every user who hits that terminal server is going to see those printers and there is nothing you can do about it.
|
# ¿ Jun 12, 2010 14:09 |
|
Make sure active directory sites and services has the appropriate subnet objects in place and that they are assigned correctly to their corresponding sites.
|
# ¿ Aug 5, 2010 17:03 |
|
I am attempting to streamline my printer deployment by using group policy preferences. So I build a new policy and add 3 new shared printers under user configuration. When adding the printers I actually picked from the list it showed of those deployed in active directory. Problem is though that when logging on as one of the users covered by this policy, 2 out of the three are not there. Event log shows a warning that the printers were not found. What gives?
|
# ¿ Sep 1, 2010 20:25 |
|
The list was in the form of \\printserver\printer. Interestingly enough I changed it to \\printserver FQDN\printer and the error seems to have vanished for the moment. Its strange because I have always had a pretty rock solid DNS infrastructure.
|
# ¿ Sep 1, 2010 21:12 |
|
Syano posted:The list was in the form of \\printserver\printer. .... and now curiously the error has returned. This is weird.
|
# ¿ Sep 1, 2010 22:42 |
|
What is the file server version? I may be way off base but while researching my problem I posted just a few posts above I have come across a ton of articles recently about logon scripts/mapped drives/mapped printers acting wonky with Server 2008 and older versions of windows acting as the file server/print server. Has to do with the SMB streams.
|
# ¿ Sep 5, 2010 13:27 |
|
Bob Morales posted:We have a bunch of admins in a Windows 2003 environment, a bunch of DC's at different sites. Audit directory service access
|
# ¿ Sep 16, 2010 02:32 |
|
Bob Morales posted:
I know this is the group policy thread... but couldnt you just open a computer management console and connect remotely to his machine while it is on your network and then modify the group membership that way? Thats the way I do it when I find someone that has admin privileges I want to remove
|
# ¿ Nov 18, 2010 15:18 |
|
Just out of curiosity's sake... why would they not want their folders redirected when signing into the terminal servers? Ive actually found that to be one of the most useful scenarios for folder redirection
|
# ¿ Nov 18, 2010 19:44 |
|
I am trying to set up a script to install some software that I just quite cant get to work in msi. My mind is telling me I need to set this as a startup script so it will install in the context of the system account rather than the user account context so I can avoid UAC prompts. Is my memory serving me correctly or am I totally bonked out on this?
|
# ¿ Jan 17, 2011 19:27 |
|
60 total GPOs? Nope not a problem at all. Id say there may be a problem if each OU had 60 to process each. But there isnt a problem, past management really, of having lots of GPOs. That being said it would make it a heck of a lot easier if you consolidated your GPOs if you wanted to script a bit. Its not hard at all to script printer deployment based on group membership/OU location or something simlar. Hit google up if you want to give it a try.
|
# ¿ Mar 14, 2011 02:26 |
|
All depends on your definition of easy I guess. As far as ADs ability to handle lots of GPOs... youre in the clear. Go hog wild if that is the method you like best.
|
# ¿ Mar 14, 2011 15:03 |
|
In the early days of active directory Microsoft had a best practice of limiting the number of GPOs if at all possible. The reason being is that back in 99/2000/2001 and so on, physical network limitations like WAN bandwidth, cpu speed, RAM and similar could noticeably be affected when a machine had to process through 40 different GPOs on boot up and log in. However in 2012, all those physical limitations have typically so far outrun what GPOs need then really today it makes most sense to be extremely granular with your GPOs, even if it means you end up with hundreds of them.
|
# ¿ Mar 14, 2012 16:06 |
|
You're probably just going to have to just play with it until it works for you then. There never really has been a guideline saying 'x amount of GPOs is too much for y bandwidth' and thats really just due to the insane amount of variables in play.
|
# ¿ Mar 14, 2012 22:44 |
|
|
# ¿ Apr 26, 2024 15:04 |
|
Cpt.Wacky posted:I'm just getting started with group policy. Could you or anyone else go into more detail about naming and organizing the policies? Do you have separate policies for everything like deploying printers, redirecting folders, mapping drives, remote desktop/admin, firewall exceptions, etc? I'll tell you what I do and you can see if that helps you any: I make a separate policy for every 'thing' I want to do where each 'thing' may have several actual actions associated with it. For instance, I have a policy called 'billing department folder redirection'. This policy of course has several settings within it that redirect their folders to a fileserver. I try not to get more granular than that because I don't want to have to search through a thousand policies to find what I am looking for. I want to stay that granular though so if I need to disable this policy for troubleshooting or what not I can easily do so without affecting any other settings. Feel free to be as descriptive with your policy names as you can. It can only help.
|
# ¿ Mar 15, 2012 18:04 |