| Author | Messages | |
dhealys
Posts:0
 | | 12/30/2009 6:26 AM |
| hi,
im involved in a group policy project to move servers from one ou too a new
ou structure. involves moving 20 servers, the new ou has a complete new
group policy defined. not confident that move will ensure no problems,
anybody out there that has done a similar project, also what would the roll
back strategy be if all moves fail and nothing is working with server
moved.
| | | |
| dmarelia
Posts:441
| | 12/30/2009 2:57 PM |
| Hey there. This is *generally* straightforward. However, some things to consider:
-- when you move OUs, GP doesn't pick up the OU move right away. There is some internal caching mechanism in GP that waits a while before refreshing what OU the machine is in. I haven't found a good formula for this, other than it exists. Just something to be aware of
-- you have to be cognizant of the kinds of policies you're moving from, and to. In other words, some policy, when the GPO no longer applies (i.e. a move from the source OU), will remove themselves. Other policy (e.g. many security policies) won't, and thus, if you don't want those policies in effect in the new OU structure, you'll have to explicitly set them to what you want.
Bottom line is that don't assume that all the old policies will go away when you move to your new OU structure.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: Tuesday, December 29, 2009 10:24 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] moving servers from one ou to another out and rollback
hi,
im involved in a group policy project to move servers from one ou too a new
ou structure. involves moving 20 servers, the new ou has a complete new
group policy defined. not confident that move will ensure no problems,
anybody out there that has done a similar project, also what would the roll
back strategy be if all moves fail and nothing is working with server
moved.
| | | |
| Wornell1
Posts:21
| | 12/30/2009 3:07 PM |
| This sounds like it would be a good candidate for Group Policy Modeling to see if anything jumps out as being an issue
Kevin
Kevin Wornell
Office Technology Group
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 30, 2009 8:56 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] moving servers from one ou to another out and rollback
Hey there. This is *generally* straightforward. However, some things to consider:
-- when you move OUs, GP doesn't pick up the OU move right away. There is some internal caching mechanism in GP that waits a while before refreshing what OU the machine is in. I haven't found a good formula for this, other than it exists. Just something to be aware of
-- you have to be cognizant of the kinds of policies you're moving from, and to. In other words, some policy, when the GPO no longer applies (i.e. a move from the source OU), will remove themselves. Other policy (e.g. many security policies) won't, and thus, if you don't want those policies in effect in the new OU structure, you'll have to explicitly set them to what you want.
Bottom line is that don't assume that all the old policies will go away when you move to your new OU structure.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: Tuesday, December 29, 2009 10:24 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] moving servers from one ou to another out and rollback
hi,
im involved in a group policy project to move servers from one ou too a new
ou structure. involves moving 20 servers, the new ou has a complete new
group policy defined. not confident that move will ensure no problems,
anybody out there that has done a similar project, also what would the roll
back strategy be if all moves fail and nothing is working with server
moved.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Watson Wyatt & Company.
| | | |
| dhealys
Posts:0
| | 12/31/2009 4:32 AM |
| thanks guys, my problem is that i will be moving production boxes like sql
servers to a ou new environment, with new gpo's set. very difficult to
test
in test environment, and have very little time for experimenting once they
are sent into live environment, i can see big problems. anyone with
actual live experience of this would be great, appreciate everyones
comments so far.
On Wed, 30 Dec 2009 10:05:42 -0500, "Wornell, Kevin (Dallas)"
<xxxxxxxxxxxxxxxx> wrote:
> This sounds like it would be a good candidate for Group Policy Modeling
to
> see if anything jumps out as being an issue
>
> Kevin
>
> Kevin Wornell
> Office Technology Group
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Wednesday, December 30, 2009 8:56 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] moving servers from one ou to another out and
> rollback
>
> Hey there. This is *generally* straightforward. However, some things to
> consider:
>
> -- when you move OUs, GP doesn't pick up the OU move right away. There is
> some internal caching mechanism in GP that waits a while before
refreshing
> what OU the machine is in. I haven't found a good formula for this, other
> than it exists. Just something to be aware of
> -- you have to be cognizant of the kinds of policies you're moving from,
> and to. In other words, some policy, when the GPO no longer applies (i.e.
a
> move from the source OU), will remove themselves. Other policy (e.g. many
> security policies) won't, and thus, if you don't want those policies in
> effect in the new OU structure, you'll have to explicitly set them to
what
> you want.
>
> Bottom line is that don't assume that all the old policies will go away
> when you move to your new OU structure.
>
> Darren
>
>
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of xxxxxxxxxxxxxxxx
> Sent: Tuesday, December 29, 2009 10:24 PM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] moving servers from one ou to another out and rollback
>
> hi,
>
> im involved in a group policy project to move servers from one ou too a
new
> ou structure. involves moving 20 servers, the new ou has a complete new
> group policy defined. not confident that move will ensure no problems,
> anybody out there that has done a similar project, also what would the
roll
> back strategy be if all moves fail and nothing is working with server
> moved.
>
>
> Notice of Confidentiality
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient
and
> on the basis agreed with that person. If you are not the intended
> recipient of the message (or authorized to receive it for the intended
> recipient), you should notify us immediately; you should delete it from
> your system and may not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
| | | |
| JamieNelson
Posts:0
| | 12/31/2009 5:24 PM |
| Yeah, it would be hard to test, but your best bet, as someone already mentioned, would be to use Group Policy Modeling to simulate a computer residing in that new OU. Save the cumulative settings report it produces and compare that to a Group Policy Results query of where the computer currently resides. Finding the differences between the two will help you identify potential problem areas (i.e. new policies, policies with different settings, absent policies, etc) before you actually move.
Be very mindful of security policies, as Darren mentioned, because even if they are absent in the new location, it doesn't necessarily mean they will be removed when you change OUs.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: Wednesday, December 30, 2009 10:32 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] moving servers from one ou to another out and rollback
thanks guys, my problem is that i will be moving production boxes like sql
servers to a ou new environment, with new gpo's set. very difficult to
test
in test environment, and have very little time for experimenting once they
are sent into live environment, i can see big problems. anyone with
actual live experience of this would be great, appreciate everyones
comments so far.
On Wed, 30 Dec 2009 10:05:42 -0500, "Wornell, Kevin (Dallas)"
<xxxxxxxxxxxxxxxx> wrote:
> This sounds like it would be a good candidate for Group Policy Modeling
to
> see if anything jumps out as being an issue
>
> Kevin
>
> Kevin Wornell
> Office Technology Group
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Wednesday, December 30, 2009 8:56 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] moving servers from one ou to another out and
> rollback
>
> Hey there. This is *generally* straightforward. However, some things to
> consider:
>
> -- when you move OUs, GP doesn't pick up the OU move right away. There is
> some internal caching mechanism in GP that waits a while before
refreshing
> what OU the machine is in. I haven't found a good formula for this, other
> than it exists. Just something to be aware of
> -- you have to be cognizant of the kinds of policies you're moving from,
> and to. In other words, some policy, when the GPO no longer applies (i.e.
a
> move from the source OU), will remove themselves. Other policy (e.g. many
> security policies) won't, and thus, if you don't want those policies in
> effect in the new OU structure, you'll have to explicitly set them to
what
> you want.
>
> Bottom line is that don't assume that all the old policies will go away
> when you move to your new OU structure.
>
> Darren
>
>
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of xxxxxxxxxxxxxxxx
> Sent: Tuesday, December 29, 2009 10:24 PM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] moving servers from one ou to another out and rollback
>
> hi,
>
> im involved in a group policy project to move servers from one ou too a
new
> ou structure. involves moving 20 servers, the new ou has a complete new
> group policy defined. not confident that move will ensure no problems,
> anybody out there that has done a similar project, also what would the
roll
> back strategy be if all moves fail and nothing is working with server
> moved.
>
>
> Notice of Confidentiality
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient
and
> on the basis agreed with that person. If you are not the intended
> recipient of the message (or authorized to receive it for the intended
> recipient), you should notify us immediately; you should delete it from
> your system and may not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| dmarelia
Posts:441
| | 12/31/2009 5:46 PM |
| Jamie's last point is key. GP Modeling will not report on old settings that still remain with the machines after they move.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Thursday, December 31, 2009 9:22 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] moving servers from one ou to another out and rollback
Yeah, it would be hard to test, but your best bet, as someone already mentioned, would be to use Group Policy Modeling to simulate a computer residing in that new OU. Save the cumulative settings report it produces and compare that to a Group Policy Results query of where the computer currently resides. Finding the differences between the two will help you identify potential problem areas (i.e. new policies, policies with different settings, absent policies, etc) before you actually move.
Be very mindful of security policies, as Darren mentioned, because even if they are absent in the new location, it doesn't necessarily mean they will be removed when you change OUs.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: Wednesday, December 30, 2009 10:32 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] moving servers from one ou to another out and rollback
thanks guys, my problem is that i will be moving production boxes like sql
servers to a ou new environment, with new gpo's set. very difficult to
test
in test environment, and have very little time for experimenting once they
are sent into live environment, i can see big problems. anyone with
actual live experience of this would be great, appreciate everyones
comments so far.
On Wed, 30 Dec 2009 10:05:42 -0500, "Wornell, Kevin (Dallas)"
<xxxxxxxxxxxxxxxx> wrote:
> This sounds like it would be a good candidate for Group Policy Modeling
to
> see if anything jumps out as being an issue
>
> Kevin
>
> Kevin Wornell
> Office Technology Group
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Wednesday, December 30, 2009 8:56 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] moving servers from one ou to another out and
> rollback
>
> Hey there. This is *generally* straightforward. However, some things to
> consider:
>
> -- when you move OUs, GP doesn't pick up the OU move right away. There is
> some internal caching mechanism in GP that waits a while before
refreshing
> what OU the machine is in. I haven't found a good formula for this, other
> than it exists. Just something to be aware of
> -- you have to be cognizant of the kinds of policies you're moving from,
> and to. In other words, some policy, when the GPO no longer applies (i.e.
a
> move from the source OU), will remove themselves. Other policy (e.g. many
> security policies) won't, and thus, if you don't want those policies in
> effect in the new OU structure, you'll have to explicitly set them to
what
> you want.
>
> Bottom line is that don't assume that all the old policies will go away
> when you move to your new OU structure.
>
> Darren
>
>
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of xxxxxxxxxxxxxxxx
> Sent: Tuesday, December 29, 2009 10:24 PM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] moving servers from one ou to another out and rollback
>
> hi,
>
> im involved in a group policy project to move servers from one ou too a
new
> ou structure. involves moving 20 servers, the new ou has a complete new
> group policy defined. not confident that move will ensure no problems,
> anybody out there that has done a similar project, also what would the
roll
> back strategy be if all moves fail and nothing is working with server
> moved.
>
>
> Notice of Confidentiality
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient
and
> on the basis agreed with that person. If you are not the intended
> recipient of the message (or authorized to receive it for the intended
> recipient), you should notify us immediately; you should delete it from
> your system and may not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| DarraghOShaughnessy
Posts:177
| | 12/31/2009 6:56 PM |
| You would really have to examine the settings across both OUS and see if there are any conflicts. Main one that spring to mind would be:
- restricted groups
- run as service
- act as part of the operating system
SQL should be easy enough to test. Just check before3 you move what service account is being used to run it and what privileges it has on the OS. The east way to see all the privledges it has is to fire up process explorer from winternals and look at the security tab.
Regards,
Darragh O'Shaughnessy
IT Services Department
E-Mail: xxxxxxxxxxxxxxxx
Ext: 2562
Direct Dial In: 01-7994028
Web Site: www.vhi.ie
Help the environment. If you need to print this email consider using Eco Font to save ink: http://www.ecofont.eu/ecofont_en.html
This e-mail and any files transmitted with it contain information which may be confidential and which may also be privileged and is intended solely for the use of the individual or entity to whom it is addressed. Unless you are the intended recipient you may not copy or use it, or disclose it to anyone else. Any opinions expressed are that of the individual and not necessarily that of Vhi Healthcare. If you have received this e-mail in error please notify the sender by return. This footnote also confirms that this e-mail message has been Swept for the presence of computer viruses.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: 31 December 2009 04:32
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] moving servers from one ou to another out and rollback
thanks guys, my problem is that i will be moving production boxes like sql
servers to a ou new environment, with new gpo's set. very difficult to
test
in test environment, and have very little time for experimenting once they
are sent into live environment, i can see big problems. anyone with
actual live experience of this would be great, appreciate everyones
comments so far.
On Wed, 30 Dec 2009 10:05:42 -0500, "Wornell, Kevin (Dallas)"
<xxxxxxxxxxxxxxxx> wrote:
> This sounds like it would be a good candidate for Group Policy Modeling
to
> see if anything jumps out as being an issue
>
> Kevin
>
> Kevin Wornell
> Office Technology Group
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Darren Mar-Elia
> Sent: Wednesday, December 30, 2009 8:56 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] moving servers from one ou to another out and
> rollback
>
> Hey there. This is *generally* straightforward. However, some things to
> consider:
>
> -- when you move OUs, GP doesn't pick up the OU move right away. There is
> some internal caching mechanism in GP that waits a while before
refreshing
> what OU the machine is in. I haven't found a good formula for this, other
> than it exists. Just something to be aware of
> -- you have to be cognizant of the kinds of policies you're moving from,
> and to. In other words, some policy, when the GPO no longer applies (i.e.
a
> move from the source OU), will remove themselves. Other policy (e.g. many
> security policies) won't, and thus, if you don't want those policies in
> effect in the new OU structure, you'll have to explicitly set them to
what
> you want.
>
> Bottom line is that don't assume that all the old policies will go away
> when you move to your new OU structure.
>
> Darren
>
>
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of xxxxxxxxxxxxxxxx
> Sent: Tuesday, December 29, 2009 10:24 PM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] moving servers from one ou to another out and rollback
>
> hi,
>
> im involved in a group policy project to move servers from one ou too a
new
> ou structure. involves moving 20 servers, the new ou has a complete new
> group policy defined. not confident that move will ensure no problems,
> anybody out there that has done a similar project, also what would the
roll
> back strategy be if all moves fail and nothing is working with server
> moved.
>
>
> Notice of Confidentiality
> This transmission contains information that may be confidential. It has
> been prepared for the sole and exclusive use of the intended recipient
and
> on the basis agreed with that person. If you are not the intended
> recipient of the message (or authorized to receive it for the intended
> recipient), you should notify us immediately; you should delete it from
> your system and may not disclose its contents to anyone else.
>
> This e-mail has come to you from Watson Wyatt & Company.
| | | |
|
|