Windows 2003 GPO - Default Domain Policy

[hsbrown2]

Hello, List,

New here, but the list seems very active, hope someone can help!

Currently, my default domain policy is currently neither linked nor enforced.

Following Microsoft's recommendation, in order to use GPO for a simple login script, I applied and linked a gpo to domain.com/OU/Users, rather than to the whole domain via the default domain policy.

Now I want to apply securtity center/firewall, etc... settings through gpo. I have been having issues with ID10T errors because people are not patching their machines, getting viruses, trojans, etc...

Trouble is, the users container (of course) does not contain any Domain Computers.

Domain Computers is not an available object in the GPOMC that I can apply a GPO to.

Domain Computers is not a part of the OU that users are a part of.

Domain Computers are all a part of the domain root (domain.com), and, as mentioned above, does not show up as an available group that I could apply a policy to. The computers are also not a member of the OU that users are. This is a small domain, I don't even see the precise need for an OU, but I didn't create it.

My dilemma:

I do not want a GPO that I create for Security Center, etc... to apply to the whole domain, i.e. all objects in AD, I just want to apply it to Domain Computers, but Domain Computers is not available as an object that one could apply a GPO to.

How can I create a GPO that will apply the settings I have configured for Computer, without impcating the entire domain?

TIA,

H. Scott

[jondercik]

Make a new OU and put all computers there.

[chilifrei64]

Yeah.. exactally.. you will want to create a new OU and put all teh computers in there. Then create a new policy and put your firewall settings in that new policy then apply the new policy to the OU..

Me personally, I like to leave the default domain policy alone and create a new policy called User_Logon_Scripts or Computer_Logon_Scripts this way I know exactally what is in the policy and what it applies to, It makes it much easier to manage when you can just look at the name and find what you are looking for .. also keeping user and computer policies seperate keeps you from having to do funny loopback tactics, or mangeling your AD structure. I know this wasnt the scope of the question but just thought I would add a little help.

[cluberti]

In general it's not good practice to make any changes to the top level domain policy, so you're smart in not doing so. I second (or is that third?) the suggestion of creating an OU (or multiple OUs) to contain computer objects, and apply Computer GPO settings to that OU or that set of OUs.