Moving
Forum Windows 2000/NT : Windows 2000/NT General Discussion - Moving
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Ken,
Did not read all of your post so might have missed something. Sorry.
When you create a GPO you are not creating it at the level where you are at
that moment ( for example, at an OU ). You are creating a couple of things
once you give that GPO a 'friendly name': You have created the GPT ( in the
SYSVOL folder ), you have created the GPC ( a container in the Active
Directory Database ) and a link for that GPO to the level ( to use my
previous example, to that OU - level ).
So, you can create an OU, move user account objects and/or computer account
objects into that OU and then create a GPO that is linked to that OU. Let's
say that you want to deploy Office 2003 to the user configuration side. So,
you use Advanced Assign ( because you want to use a .mst file ) when
creating the GPO. Then, you have your users log off and then log on and
Office 2003 is deployed as per your GPO. If, for whatever reason, you
wanted to remove the application ( Office 2003 ) then you would simply go to
the GPO and click on Delete... You would then have a choice to make: remove
the link to that OU but leave the GPO itself still intact or to delete both
the link and the GPO itself. Let's look at what both mean:
If you simply remove the link to that OU then the next time that the users
that directly reside in that OU log off and then back on Office 2003 will be
removed ( assuming, of course, that you have checked the 'Remove this
application once it falls out of the scope of this GPO' check box - or
whatever the actual text reads ). However, you still have this GPO
available to you. You could go to another OU ( remember that there are four
levels to which a GPO can be linked - local, Site, Domain and OU ) and
instead of clicking New... you would simply click on Add... and then
probably click on the All tab and select the 'Office 2003' GPO. Now it is
linked to that new OU and any user account objects that directly reside in
that OU ( they have to directly reside in that OU.....if there is a security
group inside that OU that contains user account objects as members then
these user account objects are not affected by the GPO due to this
membership of that group - they have to reside directly in that OU ) will
receive the package the next time they log off and then back on.
However, if you simply remove both the link and the GPO itself then things
do not work so well. The next time that the users log off and then back on
Office 2003 will not be uninstalled! It will stay there. Why? Because you
did not give them a chance to log off and then back on so that they will
see that the link was removed to that OU and the GPO will do it's thing (
namely, remove the application that was originally deployed via this GPO ).
It can not as the GPO itself no longer exists.
HTH,
Cary
"Ken B" <none@microsoft.com> wrote in message
news
KSQjyLoEHA.896@TK2MSFTNGP12.phx.gbl...
> Here's one for y'all.
>
> When creating a GPO, I create it in a test OU, make sure it works as I
> expected. i.e., I made a new OU for Office 2003 deployment. I made my
GPO
> there, tested it out, and then moved computer accounts in as I wanted
Office
> deployed. I linked that OU to GPO's in another OU (Windows Update, this
and
> that). (And I'm not using nested OU's either).
>
> Now if I want to get rid of the old OU as Office is finished being
deployed,
> I can't take out the old OU--the existing policies will be deleted, as
they
> won't have anyplace to reside.
>
> Can I move or copy the GPO's to a different OU so I can get rid of 'dead'
> OU's without losing what we've configured? I don't want to have to go
back
> and re-create the policies (especially the Office software policy--I don't
> want to have to have that one re-apply to the workstations and possibly
> screw up the installation on 200 computers).
>
> On a side note, what practice does everyone follow? I'm getting the
feeling
> that I should keep an OU just for policies, and link out of that so the
> policies are 'kept' in a central location, then just create OU's for
testing
> and link to the "GPO Home" ou. Or am I just missing something that's
really
> easy, and I'm making it a ton harder?
>
> TIA
>
> Ken
>
>
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Right... I get the idea of how the GPO is 'applied'.... but if I delete the
OU that I created the GPO in, then the GPO is deleted as well.(at least it
appears that way)
Right now, I have a few 'extra' OU's that I had previously tested GP's with,
and subsequently linked to those GP's (using Add, then find the GP by going
up the heirarchy, then to the 'creation OU' and picking out the GP). Now
that my testing is done, I want to take out those OU's, but they are home to
GP's currently being used (an OU with a GP for Office installation in one,
an OU for Windows Update in another, an OU for a registry key entry in
another, an OU for Adobe Acrobat in yet another, etc.)... I want to combine
all these into one OU, and move the existing policies to a new empty OU (to
be aptly named "GPO OU" ) then link to it.... some computers will need to
have Windows Update, but will not be able to 'handle' Office 2003 due to
their function, or will not need Adobe Acrobat reader (like data collection
terminals). I'd want to have an OU for those, and call it "Data
Collection", but link to the registry key GP and Windows Updates. But I
want to clean up the domain, and not have a ton of OU's hangin out as home
to one GPO that's linked to the OU holding "Engineering" or "Sales"
....or am I just being very confusing?
TIA
Ken
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:%23w%23glzMoEHA.3460@TK2MSFTNGP10.phx.gbl...
> Ken,
>
> Did not read all of your post so might have missed something. Sorry.
>
> When you create a GPO you are not creating it at the level where you are
at
> that moment ( for example, at an OU ). You are creating a couple of
things
> once you give that GPO a 'friendly name': You have created the GPT ( in
the
> SYSVOL folder ), you have created the GPC ( a container in the Active
> Directory Database ) and a link for that GPO to the level ( to use my
> previous example, to that OU - level ).
>
> So, you can create an OU, move user account objects and/or computer
account
> objects into that OU and then create a GPO that is linked to that OU.
Let's
> say that you want to deploy Office 2003 to the user configuration side.
So,
> you use Advanced Assign ( because you want to use a .mst file ) when
> creating the GPO. Then, you have your users log off and then log on and
> Office 2003 is deployed as per your GPO. If, for whatever reason, you
> wanted to remove the application ( Office 2003 ) then you would simply go
to
> the GPO and click on Delete... You would then have a choice to make:
remove
> the link to that OU but leave the GPO itself still intact or to delete
both
> the link and the GPO itself. Let's look at what both mean:
>
> If you simply remove the link to that OU then the next time that the users
> that directly reside in that OU log off and then back on Office 2003 will
be
> removed ( assuming, of course, that you have checked the 'Remove this
> application once it falls out of the scope of this GPO' check box - or
> whatever the actual text reads ). However, you still have this GPO
> available to you. You could go to another OU ( remember that there are
four
> levels to which a GPO can be linked - local, Site, Domain and OU ) and
> instead of clicking New... you would simply click on Add... and then
> probably click on the All tab and select the 'Office 2003' GPO. Now it is
> linked to that new OU and any user account objects that directly reside in
> that OU ( they have to directly reside in that OU.....if there is a
security
> group inside that OU that contains user account objects as members then
> these user account objects are not affected by the GPO due to this
> membership of that group - they have to reside directly in that OU ) will
> receive the package the next time they log off and then back on.
>
> However, if you simply remove both the link and the GPO itself then things
> do not work so well. The next time that the users log off and then back
on
> Office 2003 will not be uninstalled! It will stay there. Why? Because
you
> did not give them a chance to log off and then back on so that they will
> see that the link was removed to that OU and the GPO will do it's thing (
> namely, remove the application that was originally deployed via this
GPO ).
> It can not as the GPO itself no longer exists.
>
> HTH,
>
> Cary
>
> "Ken B" <none@microsoft.com> wrote in message
> newsKSQjyLoEHA.896@TK2MSFTNGP12.phx.gbl...
> > Here's one for y'all.
> >
> > When creating a GPO, I create it in a test OU, make sure it works as I
> > expected. i.e., I made a new OU for Office 2003 deployment. I made my
> GPO
> > there, tested it out, and then moved computer accounts in as I wanted
> Office
> > deployed. I linked that OU to GPO's in another OU (Windows Update, this
> and
> > that). (And I'm not using nested OU's either).
> >
> > Now if I want to get rid of the old OU as Office is finished being
> deployed,
> > I can't take out the old OU--the existing policies will be deleted, as
> they
> > won't have anyplace to reside.
> >
> > Can I move or copy the GPO's to a different OU so I can get rid of
'dead'
> > OU's without losing what we've configured? I don't want to have to go
> back
> > and re-create the policies (especially the Office software policy--I
don't
> > want to have to have that one re-apply to the workstations and possibly
> > screw up the installation on 200 computers).
> >
> > On a side note, what practice does everyone follow? I'm getting the
> feeling
> > that I should keep an OU just for policies, and link out of that so the
> > policies are 'kept' in a central location, then just create OU's for
> testing
> > and link to the "GPO Home" ou. Or am I just missing something that's
> really
> > easy, and I'm making it a ton harder?
> >
> > TIA
> >
> > Ken
> >
> >
>
>
Archived from groups: microsoft.public.win2000.group_policy (More info?)
Ken,
in-line....
"Ken B" <none@microsoft.com> wrote in message
newsIcNJGNoEHA.1668@TK2MSFTNGP14.phx.gbl...
> Right... I get the idea of how the GPO is 'applied'.... but if I delete
the
> OU that I created the GPO in, then the GPO is deleted as well.(at least it
> appears that way)
Absolutely not true!
> Right now, I have a few 'extra' OU's that I had previously tested GP's
with,
> and subsequently linked to those GP's (using Add, then find the GP by
going
> up the heirarchy, then to the 'creation OU' and picking out the GP). Now
> that my testing is done, I want to take out those OU's, but they are home
to
> GP's currently being used
Again, absolutely not true. These GPOs are not housed in the OU. I
explained that, or so I thought! There are two completely separate places
where the GPOs actually live - in the GPT and in the GPC. The third part of
the equation is the link ( gPOLink, IIRC ). Deleting an OU to which a GPO
is linked has no deterimental effect on the GPO......
(an OU with a GP for Office installation in one,
> an OU for Windows Update in another, an OU for a registry key entry in
> another, an OU for Adobe Acrobat in yet another, etc.) I want to combine
> all these into one OU, and move the existing policies to a new empty OU
(to
> be aptly named "GPO OU" ) then link to it.... some computers will need to
> have Windows Update, but will not be able to 'handle' Office 2003 due to
> their function, or will not need Adobe Acrobat reader (like data
collection
> terminals). I'd want to have an OU for those, and call it "Data
> Collection", but link to the registry key GP and Windows Updates. But I
> want to clean up the domain, and not have a ton of OU's hangin out as home
> to one GPO that's linked to the OU holding "Engineering" or "Sales"
>
> ...or am I just being very confusing?
Not sure that you are being confusing. I am just not sure why you are
drawing the conclussion that you are. Have you installed the Support Tools
and looked at GPOTool and GPRESULT and then also looked at repadmin and
replmon? If you have WIN2003 Active Directory or if you have an available
WINXP SP1 machine you might want to check out the GPMC.
Not to worry, we will get to the bottom of this!
Cary
>
> TIA
>
> Ken
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:%23w%23glzMoEHA.3460@TK2MSFTNGP10.phx.gbl...
> > Ken,
> >
> > Did not read all of your post so might have missed something. Sorry.
> >
> > When you create a GPO you are not creating it at the level where you are
> at
> > that moment ( for example, at an OU ). You are creating a couple of
> things
> > once you give that GPO a 'friendly name': You have created the GPT ( in
> the
> > SYSVOL folder ), you have created the GPC ( a container in the Active
> > Directory Database ) and a link for that GPO to the level ( to use my
> > previous example, to that OU - level ).
> >
> > So, you can create an OU, move user account objects and/or computer
> account
> > objects into that OU and then create a GPO that is linked to that OU.
> Let's
> > say that you want to deploy Office 2003 to the user configuration side.
> So,
> > you use Advanced Assign ( because you want to use a .mst file ) when
> > creating the GPO. Then, you have your users log off and then log on and
> > Office 2003 is deployed as per your GPO. If, for whatever reason, you
> > wanted to remove the application ( Office 2003 ) then you would simply
go
> to
> > the GPO and click on Delete... You would then have a choice to make:
> remove
> > the link to that OU but leave the GPO itself still intact or to delete
> both
> > the link and the GPO itself. Let's look at what both mean:
> >
> > If you simply remove the link to that OU then the next time that the
users
> > that directly reside in that OU log off and then back on Office 2003
will
> be
> > removed ( assuming, of course, that you have checked the 'Remove this
> > application once it falls out of the scope of this GPO' check box - or
> > whatever the actual text reads ). However, you still have this GPO
> > available to you. You could go to another OU ( remember that there are
> four
> > levels to which a GPO can be linked - local, Site, Domain and OU ) and
> > instead of clicking New... you would simply click on Add... and then
> > probably click on the All tab and select the 'Office 2003' GPO. Now it
is
> > linked to that new OU and any user account objects that directly reside
in
> > that OU ( they have to directly reside in that OU.....if there is a
> security
> > group inside that OU that contains user account objects as members then
> > these user account objects are not affected by the GPO due to this
> > membership of that group - they have to reside directly in that OU )
will
> > receive the package the next time they log off and then back on.
> >
> > However, if you simply remove both the link and the GPO itself then
things
> > do not work so well. The next time that the users log off and then back
> on
> > Office 2003 will not be uninstalled! It will stay there. Why? Because
> you
> > did not give them a chance to log off and then back on so that they
will
> > see that the link was removed to that OU and the GPO will do it's thing
(
> > namely, remove the application that was originally deployed via this
> GPO ).
> > It can not as the GPO itself no longer exists.
> >
> > HTH,
> >
> > Cary
> >
> > "Ken B" <none@microsoft.com> wrote in message
> > newsKSQjyLoEHA.896@TK2MSFTNGP12.phx.gbl...
> > > Here's one for y'all.
> > >
> > > When creating a GPO, I create it in a test OU, make sure it works as I
> > > expected. i.e., I made a new OU for Office 2003 deployment. I made
my
> > GPO
> > > there, tested it out, and then moved computer accounts in as I wanted
> > Office
> > > deployed. I linked that OU to GPO's in another OU (Windows Update,
this
> > and
> > > that). (And I'm not using nested OU's either).
> > >
> > > Now if I want to get rid of the old OU as Office is finished being
> > deployed,
> > > I can't take out the old OU--the existing policies will be deleted, as
> > they
> > > won't have anyplace to reside.
> > >
> > > Can I move or copy the GPO's to a different OU so I can get rid of
> 'dead'
> > > OU's without losing what we've configured? I don't want to have to go
> > back
> > > and re-create the policies (especially the Office software policy--I
> don't
> > > want to have to have that one re-apply to the workstations and
possibly
> > > screw up the installation on 200 computers).
> > >
> > > On a side note, what practice does everyone follow? I'm getting the
> > feeling
> > > that I should keep an OU just for policies, and link out of that so
the
> > > policies are 'kept' in a central location, then just create OU's for
> > testing
> > > and link to the "GPO Home" ou. Or am I just missing something that's
> > really
> > > easy, and I'm making it a ton harder?
> > >
> > > TIA
> > >
> > > Ken
> > >
> > >
> >
> >
>
>
Archived from groups: microsoft.public.win2000.group_policy (More info?)
<snip>
> Not sure that you are being confusing. I am just not sure why you are
> drawing the conclussion that you are. Have you installed the Support
Tools
> and looked at GPOTool and GPRESULT and then also looked at repadmin and
> replmon? If you have WIN2003 Active Directory or if you have an available
> WINXP SP1 machine you might want to check out the GPMC.
>
> Not to worry, we will get to the bottom of this!
>
> Cary
>
Unfortunately, I don't have a real test environment to work with... My
testing's limited to a few workstations on a production 2000 domain. It's
taken a lot of work to convince my boss to let me deploy Office 2k3 via GPO,
instead of walking around to 200 computers. I think they just got the last
NT4 domain nixed last year, so getting into the fundamentals of GP's is a
slow battle 'round here!
Many thanks again-- 
Ken
Please mind
You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.
