For you Roger...of course :-) The Group Policy Infrastructure White Paper is a good read if you have a spare couple of days.
http://www.microsoft.com/downloads/details.aspx?FamilyID=d26e88bc-d445-4e8f-aa4e-b9c27061f7ca&DisplayLang=en Appendix C covers WMI filtering quite comprehensively. Tony ---------- Original Message ---------------------------------- Wrom: GPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS Reply-To: [EMAIL PROTECTED] Date: Tue, 10 Jun 2003 06:45:00 -0400 DO you have links to any articles that show how to do WMI filtering in GPO's? I've not run across that idea, although it sounds slick. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > Wrom: ZLKBRNVWWCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNSKVF > Sent: Tuesday, June 10, 2003 3:17 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] OU and GPO Design Comments > > > If you use group filtering in this way, it is recommended not > to use Deny. Instead use positive filtering. To do this, > remove the Authenticated Users group from the ACL and then > add the groups you want it to apply to using Apply Group Policy. > > Another approach would be to create an OU layer for > delegation of administration, e.g. User, Computer, etc. and > then have OUs at a level below these for the application of > group policy. For example, under the Branch->Users OU you > could have OUs called General, Lab, VIP, etc. > > Someone else made a point about separate OUs for workstations > and laptops. This is certainly an option, but there may be a > way to avoid this by using WMI filtering in the GPO. For > example, WMI can identify the chassis type of the machine. > Based on this information you could filter the GPO based on > whether the chassis corresponds to a laptop or workstation. > > Tony > > ---------- Original Message ---------------------------------- > Wrom: TZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSC > Reply-To: [EMAIL PROTECTED] > Date: Tue, 10 Jun 2003 00:04:25 -0400 > > I'm interested in feedback on the following OU and GPO design. > > Simple OU structure, something like: > > |--Branches > |--Users > |--Computers > > The "Users" OU would hold around 5000 users and the > "Computers" OU an equal > amount of workstations and servers. > > GPO's would be created for the users and linked to the OU, > but only applied > to certain global groups that the users would be members of. > Similar for > the computers. There would be an "All Users" and "All > Computers" GPO with > global settings, then more granular GPO's for departmental > specific settings. > > Almost all administration would be done centrally, so there should be > little need for delegation. > > This seems like it should be simple and effective, but we > haven't tried it > real-world, so I'm curious if people have any thoughts on possible > gotcha's, issues, etc. > > > > -- > David > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/