Group Policy Recommendations

[Utahduck]

We are implementing group policies within our Microsoft Windows Active
Directory Service and I am looking for ideas on which group policies
have been effective to implement within a domain. Also, what are some
of the group policies you have implemented but later removed? Detail
on why you went with or without certain policies would be welcomed,
too.

Any detail, experience, and insight would be highly appreciated! I'd
also love links or attachments of white papers and case studies that
would add some guidance and suggestions.

Thank you for your time,
-Utah

 

[Kurt]

We are implementing group policies within our Microsoft Windows Active
Directory Service and I am looking for ideas on which group policies
have been effective to implement within a domain. Also, what are some
of the group policies you have implemented but later removed? Detail
on why you went with or without certain policies would be welcomed,
too.

Any detail, experience, and insight would be highly appreciated! I'd
also love links or attachments of white papers and case studies that
would add some guidance and suggestions.

Thank you for your time,
-Utah

Group policies are implemented according to need. It's not really a
smörgåsbord situation where you implement something just because someone
else did, or just because you can choose one from the list. One
organization might want the company logo displayed on every desktop,
another to assign a logon script for various users by department. If
people are connecting to a server via RDP, you might want to remove the
"shut down" command from the start menu. I like to redirect My Documents
to a server for backup purposes. I almost always assign a logon or
startup script for something (mapped drives, printers, etc.). Password
policies may need to be enforced. The policies you implement in your
organization should be based on YOUR unique needs. There are two ways to
do this:

1. Reactively. When a company policy violation, threat, misuse, abuse or
other problem is identified, policies are implemented to keep the same
thing from happening the future.

2. Pro actively. Try to determine where the potential for problems may
arise, and implement policies to prevent them from happening in the
first place.

Since it sounds like you are not experienced in group policy here are a
couple pieces of advice:

1) Implement policies individually (don't create one GPO that does
everything) For instance, if you need a startup script, create a GPO
named StartUpScript, and let it do that. Create a different GPO named
ReDirectMyDocuments if you need that. It'll save you much frustration
down the road.

2) ALWAYS, ALWAYS, ALWAYS test policies on a test user in an OU. NEVER,
NEVER put a policy out at the domain level until you KNOW EXACTLY what
the results will be. There are some policies that, if implemented
incorrectly, could force you to re-install!

3) Apply policies at the lowest level possible. If just clerks need a
policy, apply it in the clerks OU.



....kurt

 

[Roger Abell [MVP]]

We are implementing group policies within our Microsoft Windows Active
Directory Service and I am looking for ideas on which group policies
have been effective to implement within a domain. Also, what are some
of the group policies you have implemented but later removed? Detail
on why you went with or without certain policies would be welcomed,
too.

Any detail, experience, and insight would be highly appreciated! I'd
also love links or attachments of white papers and case studies that
would add some guidance and suggestions.

Thank you for your time,
-Utah

All of the policies are effective.
It is a matter of whether you want/need to effect what they do
in your environment. There are all sorts of policies, and the
number continues to grow, and these are used for many kinds
of purposes. If you are concerned about hardening your
Windows systems then check out the Windows Server 2003
Security Guide and the Threats and Countermeasures Guide
http://www.microsoft.com/technet/security/guidance/default.mspx

Else, you can find much info by just drilling in at
http://www.microsoft.com/gp
for example in the downloads you will find a paper with some
reference implementations for a set of scenarios, the Group
Policies Common Scenarios download (listed in)
http://www.microsoft.com/downloads/results.aspx?displaylang=en&freeText=Group+Policy

If you were to look at a number of MS solutions whitepapers,
for mid-size businesses, for compliance, etc. you will find
some info on how GP can be applied for their objectives.

It all comes down to what you need and what your objectives
are in which priority.

Roger

 

[Utahduck]

All of the policies are effective.
It is a matter of whether you want/need to effect what they do
in your environment. There are all sorts of policies, and the
number continues to grow, and these are used for many kinds
of purposes. If you are concerned about hardening your
Windows systems then check out the Windows Server 2003
Security Guide and the Threats and Countermeasures Guidehttp://www.microsoft.com/technet/security/guidance/default.mspx

Else, you can find much info by just drilling in athttp://www.microsoft.com/gp
for example in the downloads you will find a paper with some
reference implementations for a set of scenarios, the Group
Policies Common Scenarios download (listed in)http://www.microsoft.com/downloads/results.aspx?displaylang=en&freeTe...

If you were to look at a number of MS solutions whitepapers,
for mid-size businesses, for compliance, etc. you will find
some info on how GP can be applied for their objectives.

It all comes down to what you need and what your objectives
are in which priority.

Roger

Thanks for the two responses so far. I know that it is different for
each organization, but I'm was hoping for ideas or situations I might
not have thought of as well as pitfalls I might not forsee. (Going
for proactivity instead of reaction).

I appreciate the links, I'll be digging deep in those.

Thank you!

-utah