[gptalk] Re: Group Policy Scoping

  • From: "MONTGOMERY, RONALD [AG/1000]" <ronald.montgomery@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 15 Oct 2007 16:18:28 -0500

Can you:

Create a new OU right below the root and put all of your departmental
OUs inside. Link computer policy to the new OU.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Johnson, Matthew
Sent: Monday, October 15, 2007 4:06 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy Scoping


Our Domain structure is setup so that we have many departmental OU's and
one OU for Servers.  Each Dept. OU contains one OU for Computers and one
for Users.


We have GPOs linked to the root domain that apply to both workstations
and servers, but want to setup additional GPOs that apply to just
servers or just workstations.  GPOs for just Servers are easy because we
can link them to the Server OU.  The problem occurs when we want to
apply a GPO to just workstations.  We are running a Windows 2000 mixed
domain function level so we cannot use WMI filtering to specify what OS.


Here is what I've thought of so far.

1)      We could link the GPO to every Dept. OU but there is quite a few
and that seems sloppy and harder to manage.

2)      We could Block Inheritance on my Servers OU and link the
workstation GPOs to the root domain.  But then I would have to link the
common GPOs (GPOs that I want to apply to both servers and workstations)
to the Server OU also.

3)      We could just bite the bullet and upgrade to Windows 2003 domain
function level to enable WMI filtering


Does anyone have any suggestions?  How is everyone else doing this?


Thanks for any help.


Matthew Johnson


CONFIDENTIALITY STATEMENT: This electronic message contains information
from Fisher-Titus Medical Center and may be protected health information
or other confidential and privileged information under law.  The
information is intended to be for the use of the individual or entity
named above.  If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of this message
is prohibited. If you have received this electronic message in error,
please notify the sender immediately by reply e-mail or telephone at

This e-mail message may contain privileged and/or confidential information, and 
is intended to be received only by persons entitled to receive such 
information. If you have received this e-mail in error, please notify the 
sender immediately. Please delete it and all attachments from any servers, hard 
drives or any other media. Other use of this e-mail by you is strictly 

All e-mails and attachments sent and received are subject to monitoring, 
reading and archival by Monsanto, including its subsidiaries. The recipient of 
this e-mail is solely responsible for checking for the presence of "Viruses" or 
other "Malware". Monsanto, along with its subsidiaries, accepts no liability 
for any damage caused by any such code transmitted by or accompanying this 
e-mail or any attachment.

Other related posts: