none
Test environment in an existing environment

    Question

  • Hi,

     Let's say I have a domain Likeme.org where there are 50 different OUs such as Accounting, Hospital, IT, HR, etc. Is there a method or way for a department (HR) to test in an environment where they don't have any GPOs applied but we keep all the users in one OU so we don't have to create a separate block OU?

    Thanks


    Tuan

    Thursday, May 19, 2016 10:51 PM

Answers

  • So, you have existing GPOs linked to the existing OUs, and/or you are using inheritance?

    The options I can think of are;

    - create a sub-OU & block inheritance on that new OU (e.g. \Testing) under the existing \Accounting\ OU. identify a user who will test, and move the account to the new \Testing\ OU

    OR

    - edit all existing GPOs to add a Security Filter with a Deny property for the test user

    Note that you should also consider per-computer GP settings - how will you test per-computer settings? Will you move or re-scope for testing of per-computer GPOs too?

    Another alternative might be to create a new testing account for the user, and maybe a testing computer too?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, May 23, 2016 9:30 PM
  • Hi,

     That is great suggestion which we did.

    So basically we did create new GPO (3) which are the combined of 10 GPOs. We would like to test these 3 new GPOs against the only new company current users. Is there a way to test this without creating new OU block?

    Thanks


    Tuan


    One more suggestion would be, create group policy and apply security filtering's. By using security filtering, policy can only apply to the groups specified. NO NEED TO CREATE OU.

    Devaraj G | Technical solution architect

    Tuesday, May 24, 2016 10:33 AM

All replies

  • Hi,

    Thanks for your post.

    Would you please describe more details about your requirement so that we can give some suggestions to you?

    Besides, we do not recommend perform tests on the production server.

    To create an AD test environment that is similar to the production one, proceed like that:

    • Add an additional DC and make it a DNS and GC server.
    • Make sure that AD replication is made correctly and then isolate the new DC.
    • Perform a metadata cleanup on DCs in your production environment so that you delete references to the new DC.
    • perform a metadata cleanup on the new DC so that you delete references to old DCs.
    • Resize FSMO roles on the new DC.
    • Promote additional DCs on the new test environment.

    Please never connect the new DC to your production environment.

    Some articles for your reference:

    Create A Test Domain (Old Style)

    https://dirteam.com/paul/2012/07/03/create-a-test-domain-old-style/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 20, 2016 3:23 AM
    Moderator
  • Thanks for the feedback. Basically we merged with another company and their OUs are already under our domain. They have so computers and users OUs and so many GPOs that are all over the place. Eventually we would like to "combine" into only handful of GPOs for them instead of 50. However they would like to test within their environment with all users intact but no GPOs applied. We don't want to create another OU block for them to test.


    Tuan

    Friday, May 20, 2016 3:39 AM
  • Hi,

    What's the purpose of this requirement?

    To merge and optimize the OUs and GPOs,  you should consider the following:
    - Document your existing GPOs well.
    - Detect and eliminate conflicts.
    - Design your new GPO.
    - Create a documentation for your new GPO with all the settings you need.
    - Create the new GPO based on your documentation.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 23, 2016 6:28 AM
    Moderator
  • Hi,

     That is great suggestion which we did.

    So basically we did create new GPO (3) which are the combined of 10 GPOs. We would like to test these 3 new GPOs against the only new company current users. Is there a way to test this without creating new OU block?

    Thanks


    Tuan

    Monday, May 23, 2016 5:06 PM
  • So, you have existing GPOs linked to the existing OUs, and/or you are using inheritance?

    The options I can think of are;

    - create a sub-OU & block inheritance on that new OU (e.g. \Testing) under the existing \Accounting\ OU. identify a user who will test, and move the account to the new \Testing\ OU

    OR

    - edit all existing GPOs to add a Security Filter with a Deny property for the test user

    Note that you should also consider per-computer GP settings - how will you test per-computer settings? Will you move or re-scope for testing of per-computer GPOs too?

    Another alternative might be to create a new testing account for the user, and maybe a testing computer too?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, May 23, 2016 9:30 PM
  • Hi,

     That is great suggestion which we did.

    So basically we did create new GPO (3) which are the combined of 10 GPOs. We would like to test these 3 new GPOs against the only new company current users. Is there a way to test this without creating new OU block?

    Thanks


    Tuan


    One more suggestion would be, create group policy and apply security filtering's. By using security filtering, policy can only apply to the groups specified. NO NEED TO CREATE OU.

    Devaraj G | Technical solution architect

    Tuesday, May 24, 2016 10:33 AM