Originally Posted by
shajahan_ar7
I am using a domain controller (domain level). If i use domain policy that will affect all users and computers. But here permissions and restrictions only for some of the users. Is there any way to make those users as a separate OU and apply group policy ? answer it immly
You do not have to apply the policy to ALL users or ALL computers. The policy applies to members of a group. The policies are divided into two sections - Computer and User. The computer portion of the policy applies at the computer level to all users of the computer. You can add computers as members of a group and apply the policy to that group. When adding computers to a group, you must first select Computers as an object type for group membership since Computers are not select by default.
You can also change the User portion of the policy and apply these changes to a group in which user accounts are members. This policy applies only to the User profile and will be in effect no matter what computer that user logs onto.
So, to organize your policies, most of them will be either a computer policy or a user policy. It is best to name them as such. We try and keep our list of policies as organized as possible since there are about 50 of them.
And yes, you can apply the policy to an OU only by linking it to the OU. We have some computers that are set to auto-logon with a user account that is restricted to that PC only. They are Line of Business computers that operate for a specific purpose. You can also apply different policies to laptops versus desktop computers because the machine accounts are in different OU's and are named as such (ie. USPC###) and USNB###). The key is organization. Also, keep your groups for Group Policies in a separate OU than your Security or email Distribution Groups. Use a naming convention such as placing the letters GPO in all of your groups that apply to Group Policy Objects. Since we are also a mult-domain, multi-national corporation, we also use location specific names.
This is not on the subject of GPO's but it really helps with the organization part. Our logon script for our users is a single VBScript that reads user account properties and group memberships to "self customize, map drives and printers" based on that information. Our user accounts have been delegated permission to write the Description field in the computer accounts. When each user logs on, they write their Department Name and email Display Name to the computer description field (unless you are in the IT department). The logon script reads the user Active Directory account properties for the these fields to automatically keep all of the computer descriptions up to date. By sorting by this field, it makes it very easy to quickly get a list from an LDAP query for all computers in a department or to see what user is currently logged on to that computer.
If you are not working with hundreds or thousands of computers, you can keep your information up to date manually. Maintaining an accurate inventory is really important.