blotter
asked on
Group Policy for new OU
I have set up a policy for a new OU that I moved a group into (HIPAA compliance). I have set up a new policy for these guys and not all of the settings are taking hold. They are not getting the Logon Message that warns them that the computer is for official use only (yada yada...). Any help that I could get as to how I can make the rest of the policy stick would be very helpful. I am still kind of new to the AD schema.
I should also like to establish password requirements for this group. The only option that I say was to enable password complexity. When we told them min 6 char., with at least 1 number, that baked their noodle. Enabling complexity would completely baffle them (min 3 special char).
Most of these settings will be made a part of the global policy, but we want to start small first.
Thanks for the help.
I should also like to establish password requirements for this group. The only option that I say was to enable password complexity. When we told them min 6 char., with at least 1 number, that baked their noodle. Enabling complexity would completely baffle them (min 3 special char).
Most of these settings will be made a part of the global policy, but we want to start small first.
Thanks for the help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Don't get confused here; there are two different sets of policies: user policies and computer policies.
User policies, as the name says, apply only to users (the HKCU part of the registry). These are the ones you find under "User Configuration" in the GP MMC.
Computer policies (you guessed it) apply only to computers (the HKLM part of the registry). These are the ones you find under "Computer Configuration" in the GP MMC.
Any policy (user or machine) only applies to members of the OU that the GPO is defined in. So if, for example, you defined a OU named "MyCompaniesUser", moved all of your users (but not your machines) in there and defined a policy that included user as well as computer configuration, the computer configuration *will* *not* *apply*.
Check this out:
Chapter 4 - How Group Policy Works
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/deploy/ccmdepl/ccmch04.asp
To check out which policies are applied, you can use gpresult.exe from the Resource Kit; if you don't have the Resource Kit, you can get parts of it here:
Free Windows 2000 Resource Kit Tools for Administrative Tasks
http://support.microsoft.com/?kbid=274305
User policies, as the name says, apply only to users (the HKCU part of the registry). These are the ones you find under "User Configuration" in the GP MMC.
Computer policies (you guessed it) apply only to computers (the HKLM part of the registry). These are the ones you find under "Computer Configuration" in the GP MMC.
Any policy (user or machine) only applies to members of the OU that the GPO is defined in. So if, for example, you defined a OU named "MyCompaniesUser", moved all of your users (but not your machines) in there and defined a policy that included user as well as computer configuration, the computer configuration *will* *not* *apply*.
Check this out:
Chapter 4 - How Group Policy Works
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/reskit/deploy/ccmdepl/ccmch04.asp
To check out which policies are applied, you can use gpresult.exe from the Resource Kit; if you don't have the Resource Kit, you can get parts of it here:
Free Windows 2000 Resource Kit Tools for Administrative Tasks
http://support.microsoft.com/?kbid=274305
ASKER
oBdA,
ASKER
oBdA,
ASKER
oBdA,
ASKER
oBdA,
Thanks for the good information. The whole time I was focusing on the users account and not on the machine. All I really needed to do was to drag the machine into the OU that I created. Worked like a champ. I appreciate the assist. If I had any more points to award you I would have. Thanks again.
Thanks for the good information. The whole time I was focusing on the users account and not on the machine. All I really needed to do was to drag the machine into the OU that I created. Worked like a champ. I appreciate the assist. If I had any more points to award you I would have. Thanks again.
ASKER
I cannot use the GPMC as it requires Windows XP (though it will manage a 2000 domain).
Any ideas on the "Welcome" Banner. I am wondering, if passwords schemas require global policys, would the banner require the same.
I am not familiar with FRS. Sorry, I am really a nube with AD.