General Question's

[DrewSmith1984]

I am currently enrolled in an introductory course on Server 2008 and I have a few questions that are not directly answered in my textbook. If someone could help me out I would be greatly appreciative.

 

1. Why does a policy set in the Computer Configuration node of a GPO linked to the domain object affects all computers in the domain, including all computers in the Domain Controllers OU and the Computers folder.

 

2.When might nesting OUs be appropriate? Discuss the advantages.

 

 

Thanks in advance,

 

Drew

[ICTCity]

Hi,

 

1) Because of the word "LINK". Everytime you link something to the domain / SITE (actually you can see the AD as a folder tree), and your SITE is the ROOT, the beginning of your directory. Now, by default, everything linked to the domain will be propagated to the "children" (OU, groups, ...). To avoid this, you can block certain OU, Policies or any other object from propagating to the children, right click on a object and you can see a check mark which says "Link...".

 

2) This is a good question, I don't use NESTING OU because of I think they can start to be complexed while troubleshooting problems. The PARENT object is processed first, then the child / children. Now, let's make an example: you have the accouting which is made of 5 people with only one boss. You can create an OU called ACCOUNTING with the boss inside this one, then add a nested OU called ACCOUNTING_EMPLOYE. Here you can put all the 5 people which work for accounting group. On the first OU you can set a policy which allow to change the wallpaper, and on the second OU not.

Nesting OUs are good things when you want to write a script (VBS) which check permissions or set permissions, you can say that if the current user is on a nested OU, he doesn't have permission to do whatever.

 

I hope this can help you.

 

Let me know!

 

Take a look here:

 

http://technet.microsoft.com/en-us/library/cc739343(WS.10).aspx