Highlighted
Honored Contributor.
Honored Contributor.
629 views

Multiple GPO Clarification

Just want a little clarification on this. I found one thread that says that all policy settings for a user or device should be in ONE policy.

In another thread, there is this link to documentation:https://www.novell.com/documentation/zenworks113/zen11_cm_policies/data/bb2h0as.html

It mentions plural and singular policies. My question is, what it the PROPER way to handle GPO with ZCM. Previously, when ZCM11 first came out, I was using a single policy for everything for students, then a separate policy for teachers. I moved to an AD district, and with AD, of course, you can have as many separate policies that you want and only to just those OUs or users through ILT.

I was under the assumption that similar could be done with ZCM, but now I'm not so sure. I would like to get a firm answer before proceeding so I'm not banging my head against a wall. It's a lot easier to fix issues and troubleshoot if there are separate policies.

We're thinking about moving to AD, as well, so this might be the straw...
Labels (2)
0 Likes
3 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple GPO Clarification

Hi.

Am 09.10.2015 um 16:06 schrieb farmersLSD:
>
> Just want a little clarification on this. I found one thread that says
> that all policy settings for a user or device should be in ONE policy.


Do you have a lank to that by chance?

> In another thread, there is this link to
> documentation:https://www.novell.com/documentation/zenworks113/zen11_cm_policies/data/bb2h0as.html
>
> It mentions plural and singular policies.


Correct.

> My question is, what it the
> PROPER way to handle GPO with ZCM.


The proper way is to use what works and fits your needs. Multiple
policies in ZCM work just fine, but I'd likely keep their count
manageable. Applying multiple policies for instance takes longer than
just one (that's true for AD too BTW).

CU,
--
Massimo Rosen
Novell Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple GPO Clarification

farmersLSD;2408361 wrote:
Just want a little clarification on this. I found one thread that says that all policy settings for a user or device should be in ONE policy.

In another thread, there is this link to documentation:https://www.novell.com/documentation/zenworks113/zen11_cm_policies/data/bb2h0as.html

It mentions plural and singular policies. My question is, what it the PROPER way to handle GPO with ZCM. Previously, when ZCM11 first came out, I was using a single policy for everything for students, then a separate policy for teachers. I moved to an AD district, and with AD, of course, you can have as many separate policies that you want and only to just those OUs or users through ILT.

I was under the assumption that similar could be done with ZCM, but now I'm not so sure. I would like to get a firm answer before proceeding so I'm not banging my head against a wall. It's a lot easier to fix issues and troubleshoot if there are separate policies.

We're thinking about moving to AD, as well, so this might be the straw...


I vaguely recall (at one time) there being an optimal way of only using one policy, but I don't recall the specifics, or what ZEN version it applied to.

Whatever you do, it's best to either use AD or ZCM for policies, but odd stuff can happen if you have GPO set in both places (depending upon which policies are being used).

I'd say go with whatever best fits your needs.

IMO, AD is probably "cleaner", but it does have some a disadvantage vs. ZCM:
1) If a device (laptop) is off-network you cannot adjust/change the AD GPO because the machine cannot talk to the AD DC to fetch the updated GPO. IF you have your firewall stuff setup right, you can have ZCM update a ZCM GPO and get enforced on an off-network device provided it has https access to the ZCM server.

There may be other disadvantages.

Likewise, ZCM vs. AD:
ZCM actually applies the policy as a LOCAL policy, so it can take a wee bit longer and that's also where you can get into some timing issues if you have an AD GPO (whichever one gets applied last, wins, I think).

Also, if you have machines that lose ZCM connectivity (there's a slew of issues with the past agents that can cause this), then the device may not have it's GPO applied at all, or correctly. It's very rare that a workstation (IMO) using AD-delivered GPO ever hits this category (or you'd notice it if the workstation lost the trust relationship with AD because you'd not be able to login to the device, more than likely without seeing the in-your-face error).

Regardless of which method you go with, remember the matrix and what is actually effective. Even though there's "user" GPO in AD, you can apply device settings to a user, and vice versa, so if you are using both types of GPO and put the wrong setting in, you need to remember how to calculate what the effective result will be.

--Kevin
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: Multiple GPO Clarification

@mrosen
I don't believe this was the thread, but the gist is the same. It is a little older, so not sure it had changed:
https://forums.novell.com/showthread.php/465902-Multiple-windows-group-policies-with-ZCM

Thanks for the info!

@kjhurni
I didn't know you could allow access to GPO and such off-site. Is that in the documentation?

Another thing that will eventually pop up is the need for GPO across multiple OSes.

I guess my next question would be, should I be looking at moving to DSfW, and would that give me the AD policy functionality I want, while keeping Novell for authentication and files. I'm very much find with Novell from a network OS standpoint, but AD GPOs are so much easier to work with, and I also get access to GPP and can use Windows RADIUS, etc..

Just wondering if DSfW and IDM would give me what I need.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.