GPP?
John Bowles ________________________________ From: Stephen Wimberly [swimbe...@gmail.com] Sent: Wednesday, January 20, 2010 10:14 AM To: NT System Admin Issues Subject: Re: GPO Best Practices Servers and workstations "should" be in different OU's for a variety of reasons, GPO is one of the best reasons. We used to use restrictive groups for the local Administrators group, but yes this does delete all contents and replace with the contents of the GPO. If you have Server 2003 Domain controllers running at the 2003 functional level you should be able to use GPP rather than GPO. This will allow you to fine tune the local groups on the workstations and servers as you would like without destroying your existing contents. It can do the same thing in the end result, but the thought of emptying before replacing bothered me. ;) 2010/1/20 John Bowles <john.bow...@wlkmmas.org<mailto:john.bow...@wlkmmas.org>> I have a customer who is looking to implement a GPO to add Domain Admins to all the workstations and servers. I was looking into using Restricted Groups to tackle this task, but it seems if you use Restricted Groups you will lose anything outside of the groups you have listed in the restricted groups, that reside in local admin group of workstations or servers. My question is, if I recall a finely tuned AD the concept was to have your workstations and servers in seperate OU's right? This way you can have seperate sets of GPO's for each class, either workstations or servers? Or, is there just a flat out easier way to push certain accounts to the servers and workstations? Thanks, John Bowles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~