Its not terrible. The problem gets to the complexity of it, depending upon how many OUs you have to maintain. You have to keep in mind that each link is independent but each GPO is not. So changes made to security filters or WMI filters on a GPO impact targets in all places where that GPO is linked. That can get complicated some organizations. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Neil Sent: Monday, October 15, 2007 3:12 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy Scoping "1) We could link the GPO to every Dept. OU but there is quite a few and that seems sloppy and harder to manage." Is this option that bad? I know it is widely used in my experience. I generally set up a standard server, workstation, user policy and link to all sub OUs (departmental in your case) - then create a specific {dept_workstation} GPO to modify any changes that are required. Minimizes the numbers of policies and makes it easier for support staff to manage. Just my thoughts Regards Neil -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: 15 October 2007 22:50 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy Scoping Actually, this is correct. I misread your question thinking you had a Servers OU in each departmental OU. Since that is not the case, Ronald's approach would be best. Regards, Jamie Nelson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of MONTGOMERY, RONALD [AG/1000] Sent: Monday, October 15, 2007 4:18 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy Scoping Can you: Create a new OU right below the root and put all of your departmental OUs inside. Link computer policy to the new OU. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Johnson, Matthew Sent: Monday, October 15, 2007 4:06 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Group Policy Scoping Our Domain structure is setup so that we have many departmental OU's and one OU for Servers. Each Dept. OU contains one OU for Computers and one for Users. We have GPOs linked to the root domain that apply to both workstations and servers, but want to setup additional GPOs that apply to just servers or just workstations. GPOs for just Servers are easy because we can link them to the Server OU. The problem occurs when we want to apply a GPO to just workstations. We are running a Windows 2000 mixed domain function level so we cannot use WMI filtering to specify what OS. Here is what I've thought of so far. 1) We could link the GPO to every Dept. OU but there is quite a few and that seems sloppy and harder to manage. 2) We could Block Inheritance on my Servers OU and link the workstation GPOs to the root domain. But then I would have to link the common GPOs (GPOs that I want to apply to both servers and workstations) to the Server OU also. 3) We could just bite the bullet and upgrade to Windows 2003 domain function level to enable WMI filtering Does anyone have any suggestions? How is everyone else doing this? Thanks for any help. Matthew Johnson mjohnson@xxxxxxxx CONFIDENTIALITY STATEMENT: This electronic message contains information from Fisher-Titus Medical Center and may be protected health information or other confidential and privileged information under law. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately by reply e-mail or telephone at 419/668-8101. This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited. All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto, including its subsidiaries. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto, along with its subsidiaries, accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment. *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************