| Author | Messages | |
jfigueroa
Posts:16
 | | 02/01/2012 4:51 PM |
|
Good morning,
Not sure this question belongs in this forum but I can't think of a more qualified group of folks to comment on this.
Here is the challenge:
1) We are upgrading our desktops from XP to Windows 7 (~30K)
2) We are creating a new OU structure for the desktops to do some overdue cleanup and enhance with new Win 7 GPOs
3) Since this project will last over a year our users may float between XP and Win 7 machines
a. Since we are not migrating users, it is not like we can move the user objects from one OU to another to apply Win 7 GPOs
b. We are kicking around the idea of creating new User GPOs in the existing user OU structure with a WMI filter that queries to see if the user is currently on a Win 7 machine or
c. Creating the user GPOs and linking them to the new computer OU structure for Win 7, not moving the users but using loopback for the user settings. Not a lot of people like this one... I kind of do.
d. Some other method we have not thought of yet
Just curious what other folks have done or how some other folks may approach it.
Thanks in advance
Johnny Figueroa
IT Systems Engineer Senior Consultant
602.747.4313 - Desk
Johnny.Figueroa@bannerhealth.com<mailto:Johnny.Figueroa@bannerhealth.com>
Our Nonprofit Mission: We exist to make a difference in people's lives through excellent patient care.
| | | |
| ethierbach
Posts:5
| | 02/01/2012 4:51 PM |
|
Hi, Johnny - we use loopback processing. We generally only apply GPOs to workstations, not users. It works well in our environment, where users may have joint appointments in multiple departments, and may move around among several "flavors" of workstations on a weekly or even daily basis. Our users are mostly in a central "People" OU, but workstations are managed at a departmental level, not centrally, so this is really our only workable option for GPOs.
-Ed-
Ed Thierbach
University of Michigan IT Services, AD Infrastructure lead
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Figueroa, Johnny
Sent: Thursday, September 29, 2011 11:29 AM
To: Active Directory Mailing List (ActiveDir@mail.activedir.org)
Subject: [ActiveDir] Windows 7 migration and handling User GPOs
Good morning,
Not sure this question belongs in this forum but I can't think of a more qualified group of folks to comment on this.
Here is the challenge:
1) We are upgrading our desktops from XP to Windows 7 (~30K)
2) We are creating a new OU structure for the desktops to do some overdue cleanup and enhance with new Win 7 GPOs
3) Since this project will last over a year our users may float between XP and Win 7 machines
a. Since we are not migrating users, it is not like we can move the user objects from one OU to another to apply Win 7 GPOs
b. We are kicking around the idea of creating new User GPOs in the existing user OU structure with a WMI filter that queries to see if the user is currently on a Win 7 machine or
c. Creating the user GPOs and linking them to the new computer OU structure for Win 7, not moving the users but using loopback for the user settings. Not a lot of people like this one... I kind of do.
d. Some other method we have not thought of yet
Just curious what other folks have done or how some other folks may approach it.
Thanks in advance
Johnny Figueroa
IT Systems Engineer Senior Consultant
602.747.4313 - Desk
Johnny.Figueroa@bannerhealth.com<mailto:Johnny.Figueroa@bannerhealth.com>
Our Nonprofit Mission: We exist to make a difference in people's lives through excellent patient care.
| | | |
| barkills
Posts:214
| | 02/01/2012 4:51 PM |
|
Option c, group policy loopback is used extensively in the Higher Education sector. Typically universities stick all their users in a single OU because any given user doesn't "belong" to a single IT authority. But in contrast, computers "belong" to specific IT authorities. So you use loopback to apply the right set of user policies on a given user when they are logged into "your" computers.
I haven't experienced nor have I heard any complaints about group policy loopback functionality from folks in the HiEd sector. And that's saying something given that the size of ADs at public/state universities are typically larger than the largest corporations.
Personally, I think the WMI filter approach is more complicated than the loopback one, but maybe that's because of my familiarity with loopback vs. WMI filters.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Figueroa, Johnny
Sent: Thursday, September 29, 2011 8:29 AM
To: Active Directory Mailing List (ActiveDir@mail.activedir.org)
Subject: [ActiveDir] Windows 7 migration and handling User GPOs
Good morning,
Not sure this question belongs in this forum but I can't think of a more qualified group of folks to comment on this.
Here is the challenge:
1) We are upgrading our desktops from XP to Windows 7 (~30K)
2) We are creating a new OU structure for the desktops to do some overdue cleanup and enhance with new Win 7 GPOs
3) Since this project will last over a year our users may float between XP and Win 7 machines
a. Since we are not migrating users, it is not like we can move the user objects from one OU to another to apply Win 7 GPOs
b. We are kicking around the idea of creating new User GPOs in the existing user OU structure with a WMI filter that queries to see if the user is currently on a Win 7 machine or
c. Creating the user GPOs and linking them to the new computer OU structure for Win 7, not moving the users but using loopback for the user settings. Not a lot of people like this one... I kind of do.
d. Some other method we have not thought of yet
Just curious what other folks have done or how some other folks may approach it.
Thanks in advance
Johnny Figueroa
IT Systems Engineer Senior Consultant
602.747.4313 - Desk
Johnny.Figueroa@bannerhealth.com<mailto:Johnny.Figueroa@bannerhealth.com>
Our Nonprofit Mission: We exist to make a difference in people's lives through excellent patient care.
| | | |
| darren
Posts:393
| | 02/01/2012 4:51 PM |
|
Johnny-
You may be over-complicating things here. Generally speaking, any per-user settings that you set that are specific to Win7 will just be ignored when the user is on XP. You can test this of course, but I would do that before complicating the environment with loopback or other workarounds.
Darren
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: Thursday, September 29, 2011 8:49 AM
To: Active Directory Mailing List (ActiveDir@mail.activedir.org)
Subject: RE: [ActiveDir] Windows 7 migration and handling User GPOs
Option c, group policy loopback is used extensively in the Higher Education sector. Typically universities stick all their users in a single OU because any given user doesn't "belong" to a single IT authority. But in contrast, computers "belong" to specific IT authorities. So you use loopback to apply the right set of user policies on a given user when they are logged into "your" computers.
I haven't experienced nor have I heard any complaints about group policy loopback functionality from folks in the HiEd sector. And that's saying something given that the size of ADs at public/state universities are typically larger than the largest corporations.
Personally, I think the WMI filter approach is more complicated than the loopback one, but maybe that's because of my familiarity with loopback vs. WMI filters.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org]<mailto:[mailto:activedir-owner@mail.activedir.org]> On Behalf Of Figueroa, Johnny
Sent: Thursday, September 29, 2011 8:29 AM
To: Active Directory Mailing List (ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Windows 7 migration and handling User GPOs
Good morning,
Not sure this question belongs in this forum but I can't think of a more qualified group of folks to comment on this.
Here is the challenge:
1) We are upgrading our desktops from XP to Windows 7 (~30K)
2) We are creating a new OU structure for the desktops to do some overdue cleanup and enhance with new Win 7 GPOs
3) Since this project will last over a year our users may float between XP and Win 7 machines
a. Since we are not migrating users, it is not like we can move the user objects from one OU to another to apply Win 7 GPOs
b. We are kicking around the idea of creating new User GPOs in the existing user OU structure with a WMI filter that queries to see if the user is currently on a Win 7 machine or
c. Creating the user GPOs and linking them to the new computer OU structure for Win 7, not moving the users but using loopback for the user settings. Not a lot of people like this one... I kind of do.
d. Some other method we have not thought of yet
Just curious what other folks have done or how some other folks may approach it.
Thanks in advance
Johnny Figueroa
IT Systems Engineer Senior Consultant
602.747.4313 - Desk
Johnny.Figueroa@bannerhealth.com<mailto:Johnny.Figueroa@bannerhealth.com>
Our Nonprofit Mission: We exist to make a difference in people's lives through excellent patient care.
| | | |
| TG
Posts:313
| | 02/01/2012 4:51 PM |
|
Group,
Does anyone have references to what potential issues can be encountered if a large number (20-30) of DNS suffices is added to a search list? I have searched and came up with nothing.
Desktop group is looking to add that many entries to the list and I heard rumors of increasing that number beyond that (possibly to a hundred).
Thank you, Tony.
Tony Gordon | Identity & Access Management Architect
Aon Service Corporation | End User Services | Global Technology Solutions & Services
MCITP:EA, Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
* 847.883.7892 (Direct)
tony dot gordon at aonhewitt dot tld | www.aon.com
P Please consider the environment before printing this e-mail.
| | | |
| decrosby
Posts:101
| | 02/01/2012 4:51 PM |
|
We are also following the model Brian describes after moving from a heavily LOB based OU design to a flattened structure better suited for virtualisation and the continued provision / deprovisioning of machines....We have found WMI to be on occasions to be inefficient with the way queries are submitted and data is retrieved...
Thanks.
Damian.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Arkills
Sent: 29 September 2011 16:49
To: Active Directory Mailing List (ActiveDir@mail.activedir.org)
Subject: RE: [ActiveDir] Windows 7 migration and handling User GPOs
Option c, group policy loopback is used extensively in the Higher Education sector. Typically universities stick all their users in a single OU because any given user doesn't "belong" to a single IT authority. But in contrast, computers "belong" to specific IT authorities. So you use loopback to apply the right set of user policies on a given user when they are logged into "your" computers.
I haven't experienced nor have I heard any complaints about group policy loopback functionality from folks in the HiEd sector. And that's saying something given that the size of ADs at public/state universities are typically larger than the largest corporations.
Personally, I think the WMI filter approach is more complicated than the loopback one, but maybe that's because of my familiarity with loopback vs. WMI filters.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Figueroa, Johnny
Sent: Thursday, September 29, 2011 8:29 AM
To: Active Directory Mailing List (ActiveDir@mail.activedir.org)
Subject: [ActiveDir] Windows 7 migration and handling User GPOs
Good morning,
Not sure this question belongs in this forum but I can't think of a more qualified group of folks to comment on this.
Here is the challenge:
1) We are upgrading our desktops from XP to Windows 7 (~30K)
2) We are creating a new OU structure for the desktops to do some overdue cleanup and enhance with new Win 7 GPOs
3) Since this project will last over a year our users may float between XP and Win 7 machines
a. Since we are not migrating users, it is not like we can move the user objects from one OU to another to apply Win 7 GPOs
b. We are kicking around the idea of creating new User GPOs in the existing user OU structure with a WMI filter that queries to see if the user is currently on a Win 7 machine or
c. Creating the user GPOs and linking them to the new computer OU structure for Win 7, not moving the users but using loopback for the user settings. Not a lot of people like this one... I kind of do.
d. Some other method we have not thought of yet
Just curious what other folks have done or how some other folks may approach it.
Thanks in advance
Johnny Figueroa
IT Systems Engineer Senior Consultant
602.747.4313 - Desk
Johnny.Figueroa@bannerhealth.com<mailto:Johnny.Figueroa@bannerhealth.com>
Our Nonprofit Mission: We exist to make a difference in people's lives through excellent patient care.
--------------------------------------------------------------------------
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.
| | | |
|
|