Group Policy

[keepsmilin456]

In need of Group Policy Experts

Platform: Windows 2000 Server

I just started getting into Group Policy deployments at our company (ya ya...i know i'm a little late!) Let me tell you, very interesting stuff. Our company is comprised with about 100 or so employees with 5 'domain admins', including myself, we purposely do not have any enterprise admins. I started deploying some basic policies at the domain level. (IE homepage cannot be changed, provided by "...", few cosmetic changes, nothing big...YET!) All of our employees are in the builtin "Users" unit in AD. I want to deploy the default domain policy to everyone in the company but not us (domain admins, we want to able to override all settings). I changed the security for domains admins to deny the policy...which screwed things up. None of us could access the group policy after I changed that setting (access denied); luckily with all the articles about this already on the net, took us about 20 minutes to fix.

Anyone know a workaround for this? I am aware that you can create multiple OU's and go from there...but we only have 100 employees..we are not that big of a company so if OU's are the only way to go, that will be my last option.

If I didn't explain myself well, let me know
TIA

 

[penguin69]

keepsmilin,

This can seem very frustrating, I know, we taught this to ourselves! Best bet here, work from the top only. What I mean, is work from your domain name, in DSA.MSC.

Okay, here is the main catch, When creating your policies, goto properties for a particular policy, Goto the security tab, and then notice the check box that says Apply Group Policy. That is how it determins weather you get it or not, nothing else. Don't worry about read and delete and write rights. The are usless!! Create a group that has all of your other users in it(but not you) then apply the policy to that particular group, and wham bam thank you mam, you are ready to go.

Hope this helps!

 

[bazzert]

Other option is to add the dom admins to a new OU and then select block inheritence. This will stop the policy from the domain being applied to the admin OU.

 

[keepsmilin456]

Thanks for all your responses...
Penguin,
In my security tab we have about Authenticated Users which have Read & Apply Group Policy checked. (by default) Domain Admins have everything checked to allow. All I have to do is 'clear' the Apply Group Policy permission? If the default policy does not apply to domain admins, then what policy does apply to domain admins? Doesn't everyone have to use some type of group policy?

Thanks

 

[penguin69]

No, not at all. We currently DO you one at my facility though. We have one set for proxy, homepage, background and such. It keeps a nice uniform look for the servers also!

Everything you said appears correct!

 

[keepsmilin456]

Thanks for you response...I cleared the Domain Admins to not allow 'Apply Group Policy' Only permissions that are checked for Domain Admins are to allow 'Read', 'Write', Create All Child Objects', 'Delete All Child Objects'. The group policy is still applying to Domain Admins.
Curious...but doesn't the 'Authenticated Users' override all users? Any suggestions?

Thanks