Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
Syano
Jul 13, 2005


NinjaPablo posted:

How 'granular' (not the word I'm looking for) should GPOs be? I've left our Group Policy alone since the guy who managed it left, and it seems to work. Looking at it now though, there's 49 GPOs listed, and this is for a network of 300 users. That seems like a bit of overkill.

For example, he's got a separate GPO for each department printer, 3 separate proxy policies based on management level, a separate policy for each network software installer, My Docs and Application Data redirects split into 2 policies, etc.

It may be overkill. Best practice in our organization has always been: Apply the fewest number of policies at the highest levels for maximum effect. Your OU structure should support this of course and if your OU structure is bad then you may very well need 50 policies to make everything work like you want

quote:

Whoa, seriously? Am I dreaming?

I wish we had a test environment... I hate testing in production, but this sounds worth checking out. This may be a silly question, but... how do you build a policy on a Vista machine then apply it on a 2003 domain?
We bought an el cheapo server 2008 standard machine from our preferred vendor for this exact purpose. For a couple grand we are now able to leverage all the new fun group policy tools

Syano fucked around with this message at 13:45 on Sep 12, 2008

Adbot
ADBOT LOVES YOU

Syano
Jul 13, 2005


bob arctor posted:

The printers are networked, but the users who use TS are not members of the same domain as the TS on their home networks. The printers of issue have drivers locally installed on the terminal services box it's beginning to look like that might be the issue.

If the printers actually have their queues on a printer server somewheres else other than the terminal server, your users should only see printers to which they have attached themselves. Shared printers on other machines are actually part of a user's profile so they are specific to that user. If you set up the printers as direct IP printers as the administrator though, its as if the printer is a locally installed device and every user who hits that terminal server is going to see those printers and there is nothing you can do about it.

Syano
Jul 13, 2005


Make sure active directory sites and services has the appropriate subnet objects in place and that they are assigned correctly to their corresponding sites.

Syano
Jul 13, 2005


I am attempting to streamline my printer deployment by using group policy preferences. So I build a new policy and add 3 new shared printers under user configuration. When adding the printers I actually picked from the list it showed of those deployed in active directory. Problem is though that when logging on as one of the users covered by this policy, 2 out of the three are not there. Event log shows a warning that the printers were not found. What gives?

Syano
Jul 13, 2005


The list was in the form of \\printserver\printer.

Interestingly enough I changed it to \\printserver FQDN\printer and the error seems to have vanished for the moment.


Its strange because I have always had a pretty rock solid DNS infrastructure.

Syano
Jul 13, 2005


Syano posted:

The list was in the form of \\printserver\printer.

Interestingly enough I changed it to \\printserver FQDN\printer and the error seems to have vanished for the moment.


Its strange because I have always had a pretty rock solid DNS infrastructure.

.... and now curiously the error has returned. This is weird.

Syano
Jul 13, 2005


What is the file server version?

I may be way off base but while researching my problem I posted just a few posts above I have come across a ton of articles recently about logon scripts/mapped drives/mapped printers acting wonky with Server 2008 and older versions of windows acting as the file server/print server. Has to do with the SMB streams.

Syano
Jul 13, 2005


Bob Morales posted:

We have a bunch of admins in a Windows 2003 environment, a bunch of DC's at different sites.

Is there a way to see who the last person was that changed a group policy (or hell, moved a computer around to a different OU), and when they did it?

Also, is there some sort of CVS-like versioning system where we could roll back to what the group policy for the New York office was like 2 days ago?

Audit directory service access

Syano
Jul 13, 2005


Bob Morales posted:



Let's say salesperson Joe is a regular user on the domain, but I made him a admin on his laptop. But Joe is doing stupid poo poo like installing random software from the internet, how can I change his account without going to his computer?



I know this is the group policy thread... but couldnt you just open a computer management console and connect remotely to his machine while it is on your network and then modify the group membership that way? Thats the way I do it when I find someone that has admin privileges I want to remove

Syano
Jul 13, 2005


Just out of curiosity's sake... why would they not want their folders redirected when signing into the terminal servers? Ive actually found that to be one of the most useful scenarios for folder redirection

Syano
Jul 13, 2005


I am trying to set up a script to install some software that I just quite cant get to work in msi. My mind is telling me I need to set this as a startup script so it will install in the context of the system account rather than the user account context so I can avoid UAC prompts. Is my memory serving me correctly or am I totally bonked out on this?

Syano
Jul 13, 2005


60 total GPOs? Nope not a problem at all. Id say there may be a problem if each OU had 60 to process each. But there isnt a problem, past management really, of having lots of GPOs. That being said it would make it a heck of a lot easier if you consolidated your GPOs if you wanted to script a bit. Its not hard at all to script printer deployment based on group membership/OU location or something simlar. Hit google up if you want to give it a try.

Syano
Jul 13, 2005


All depends on your definition of easy I guess. As far as ADs ability to handle lots of GPOs... youre in the clear. Go hog wild if that is the method you like best.

Syano
Jul 13, 2005


In the early days of active directory Microsoft had a best practice of limiting the number of GPOs if at all possible. The reason being is that back in 99/2000/2001 and so on, physical network limitations like WAN bandwidth, cpu speed, RAM and similar could noticeably be affected when a machine had to process through 40 different GPOs on boot up and log in. However in 2012, all those physical limitations have typically so far outrun what GPOs need then really today it makes most sense to be extremely granular with your GPOs, even if it means you end up with hundreds of them.

Syano
Jul 13, 2005


You're probably just going to have to just play with it until it works for you then. There never really has been a guideline saying 'x amount of GPOs is too much for y bandwidth' and thats really just due to the insane amount of variables in play.

Adbot
ADBOT LOVES YOU

Syano
Jul 13, 2005


Cpt.Wacky posted:

I'm just getting started with group policy. Could you or anyone else go into more detail about naming and organizing the policies? Do you have separate policies for everything like deploying printers, redirecting folders, mapping drives, remote desktop/admin, firewall exceptions, etc?

I'll tell you what I do and you can see if that helps you any: I make a separate policy for every 'thing' I want to do where each 'thing' may have several actual actions associated with it. For instance, I have a policy called 'billing department folder redirection'. This policy of course has several settings within it that redirect their folders to a fileserver. I try not to get more granular than that because I don't want to have to search through a thousand policies to find what I am looking for. I want to stay that granular though so if I need to disable this policy for troubleshooting or what not I can easily do so without affecting any other settings. Feel free to be as descriptive with your policy names as you can. It can only help.

  • Locked thread