Different GPOs for users or why so many OUs
Hello, dear ones.
I would like to draw your attention to the fact that everything written about here applies to my servers to to my users and in no way do I encourage or incline you to do what I did.
If my experience helps someone in solving their problems, for me it will be the best reward for my work. We all learn from someone or something.
Have you ever asked yourself the question – why? just for you Do you even need a domain and users in it? In addition to standard answers like:
“Domains were created as a human-friendly way to access the Internet Protocol (IP) https://www.nur.kz/technologies/internet/1786298-cto-takoe-domen-i-domennoe-ima/»
“A domain is a website address. A website is a collection of web pages that are stored on a server. Well, a server, in turn, is a computer connected to the Internet, only a very powerful one. (Source – Skysmart Online School: https://skysmart.ru/articles/programming/chto-takoe-domen
For me, a domain is the ability to control the computers entered into it. The ability to control the size of profiles, manage users’ computers to the best of their ability, provide or deny access to certain resources, etc. And it takes care of the files of its users so that they do not disappear anywhere due to the crooked hands of the users or for some other reason.
To do this, all user profiles are copied to a file server twice a day. No, I don't copy them manually. There is a wonderful standard utility called Robocopy for this. I highly recommend it.
At its core, the system administrator is the king and god for everyone who uses the organization's computers.
Who is personally responsible for the stable, uninterrupted operation of the network, computers and peripherals? That's right – sysadmin.
And all users are essentially hired workers who exist today and are gone tomorrow, and to whom the organization has allocated a computer for temporary use to carry out their work activities. And the system administrator is responsible for the stability of this work on the organization’s computers. Therefore, all activities of the system administrator related to computers, peripherals, etc. is not subject to discussion or appeal by users. If it is said that the profile will be limited to 3 gigs, then it will be so; if it is said that it is necessary to replace the hardware on the user’s computer or replace the axis, then the user must silently nod his mane and wait for the computer to be returned to him. And for a while he sits down either at another computer or the system administrator gives him a replacement one. You don’t meddle in the work of the planning department or the accounting department or the personnel department, so no one has the right to interfere or even comment on your work. And I strictly suppress conversations like that I want to keep my personal photos and videos from vacation on my desktop. Or keep your photos on another local drive or flash drive, or on a separate file server specially deployed for such purposes.
I briefly told you about the degree of responsibility and subordination in my organization. And therefore, I definitely won’t have 500 workstations with 300 gigabytes of profile.
In the previous article about roaming profiles in the comments, the user naves I was surprised why there were so many OUs. By the way, for you personally Naves – do you yourself know where the V2 or V6 profiles come from? I'll tell you where they come from.
If you enter the profile path here in the profile settings:
then you will receive the user profile of Ivanov V2. And then when you log into your account with Win 7.
If you log in from Win 10, then you will receive the Ivanov V6 profile.
I offered you an option in the previous article without these profiles.
Sorry, I got distracted.
In my organization, and not only in mine, there are people who bring their own flash drives or SSDs and download something from them to their computer every day. Yes, God take it off, let them download it, if they want it so much. These are harmless users. They just download vacation photos, as a user noted kuzzdra in the comments. Although for these purposes – I repeat – there is a separate file server with distributed rights for each user.
But there are also hands-on experimenters who definitely need to get into something, clean the registry, install an incomprehensible hacky program, install a super-duper fashionable computer cleaner, install gadgets on the desktop and everything in the same spirit. What programs they have on their media – only God knows. And then they shrug when the AXIS is closed or their personal files disappear – “I don’t know, comrade commander; I don’t know, comrade commander.” And it often happened that the system did not start at all.
Plus, the disguised Trojans are being dragged away mercilessly. Antivirus is installed, but this does not always help. And then I just want to kill the bastard.
Okay, closer to the topic.
Why so many OU? Let's figure it out. At the moment we have this structure:
The ACCOUNTING unit has a common GPO for all. It applies to everyone registered in this unit. But then we need to apply different policies to different profiles.
Another example: user Ivanova brings flash drives with incomprehensible content. Then the content, not neutralized by the antivirus, spreads across the network. Or he drags a program onto the computer, which is a Trojan. What can you do? That's right – hit the impudent redhead in the face. Joke. The best option is to tightly block its USB ports.
For such “hackers” we are creating a GPO with complete blocking of all computer storage media, or, more simply, flash drives, hard drives, computers, photo and video equipment that can be connected to a computer.
The policy is created for the user. Here you can see the structure of creating a GPO for a user.
And in order not to apply it to law-abiding citizens, but only to violators, that’s why such a hierarchy was created in OU. We link (drag and drop) the policy in the OU with Ivanov’s profile. Now politics works only for her. And even when this user sits down at another computer under his account, the ports will always be closed for this account.
This policy will not interfere with other users; they will also remain with working ports.
We associate user Petrov with another GPO. For example, which disables all desktop gadgets.
For Sidorov's user, we apply a policy that limits connection to the Internet.
And this is how we apply different (or identical policies) for different users.
Why is there such a number of OUs? I hope I answered the comment.
But there is one big disadvantage to this. Users' computers must be rebooted. We have to wait until the user reboots the machine. And if he keeps it on all the time, what then? Or wait for the server to update the policies? But it is not a fact that the policies will be applied without a reboot. What if there is no time to wait and you need to apply the policy right now?
Is it possible to apply a policy without rebooting the computer? And so that the policy is applied immediately as soon as you, let’s say, activate it?
There is a solution, but it is not entirely simple. I will post this solution in another article. After reading this, many will say that this is completely unnecessary. And they will be right. Yes, I agree that further layout is extra work that will almost never be used by anyone. Moreover, in order to apply the following policy, you need to perform some manipulations on the user’s computer, or rather, settings.
I wanted to instantly apply the policy to the user without rebooting the computer. I succeeded. And I am using this solution, although so far only on 3 computers. Why only 3?
This material will be in the next article. For now I’m just doing the layout to tell everything simply and clearly.
Thanks everyone and good luck!
