Microsoft Windows Server 2003 Unleashed (R2 Edition)
Administrators create group policies to limit users from performing certain tasks or to automatically set up specific functionality. For example, a group policy can be established to display a legal disclosure to all users who attempt to log in to a system, or it can be set up to limit access to the command prompt. Group policies can be set on Active Directory sites, domains, and OUs but can also be configured to apply specifically to groups as well. This functionality increases the domain designer's flexibility to apply group policies. As previously mentioned in this chapter, creating additional OUs simply to apply multiple group policies is not an efficient use of OU structure and can lead to overuse of OUs in general. Rather, you can achieve a more straightforward approach to group policies by applying them directly to groups of users. The following procedure illustrates how you can apply a specific group policy at the domain level but enact it only on a specific group:
This concept of applying a specific group policy at the domain level but enacting it at a specific group in and of itself can reduce the number of unnecessary OUs in an environment and help to simplify administration. In addition, group policy enforcement becomes easier to troubleshoot as complex OU structures need not be scrutinized. |
Категории