Printable View
Hello All,
I am working on a new GPO on a Server 2000 network. Just to make sure I covered everything, what are some of the more imporant settings to configure in a GPO. (I'm sure the list goes on, just some of the top ones please)
Just some suggestions from people who have been doing this much longer than I have been would be greatly appreciated.
Thank you,
Murph
Hello All,
I am working on a new GPO on a Server 2000 network. Just to make sure I covered everything, what are some of the more imporant settings to configure in a GPO. (I'm sure the list goes on, just some of the top ones please)
Just some suggestions from people who have been doing this much longer than I have been would be greatly appreciated.
Thank you,
Murph
That's a pretty big question and is very dependent upon your environment, the kind of business you are in, the threat/risk and what you are trying to achieve. Remember also that if you have multiple OU's you may have multiple GPO's do acheive different goals'
If you could outline some of that information and then give us an idea of what you have done so far it would help us help you a lot.
That's a pretty big question and is very dependent upon your environment, the kind of business you are in, the threat/risk and what you are trying to achieve. Remember also that if you have multiple OU's you may have multiple GPO's do acheive different goals'
If you could outline some of that information and then give us an idea of what you have done so far it would help us help you a lot.
Ok, that's true...kind of vague huh ?
For right now its only one OU, which I'm working on changing. Its the first GPO in the domain for 75 users. Basically for right now I'm working on some type of baseline setting, as there isn't anything in place at the moment. Aside from password complexity, length, etc...what are some of the more major ones in general that should be configured.
I know this is still somewhat vague, any general info is appreciated.
Thanks again,
Murph
Ok, that's true...kind of vague huh ?
For right now its only one OU, which I'm working on changing. Its the first GPO in the domain for 75 users. Basically for right now I'm working on some type of baseline setting, as there isn't anything in place at the moment. Aside from password complexity, length, etc...what are some of the more major ones in general that should be configured.
I know this is still somewhat vague, any general info is appreciated.
Thanks again,
Murph
I'd start with the domain policy. Put everything in there that you want to apply to every computer on the network, (audit policies, password policies, lockout etc.). That's your baseline....
Then move down to your OU's. As long as you don't check "No Override" then the domain policy flows down so then you just need to set what you want for each OU. For example if you had machines accessible to the general public you would put them in a searate OU and lock them down pretty tight, whereas the accounting department may need a "looser" policy to allow them to do certain things.
I would just run through the entire GPO looking at what things are, what they do and if they are appropriate. If the network is live right now I would set up a test OU and put a machine with all the "odd" apps your company runs and apply the policy to it by plaing it in the test OU. Remember that machine policies only apply at reboot or on the standard check time, (default 30 mins IIRC), while user policies apply at each reboot or at standard check time. That little gem of information becomes important when you think the darned thing isn't working.... ;)
It's a good exercise and it will allow you to see what the GPO can do rather then us telling you things that may not apply in your situation and thus leave big gaps in your knowledge.
If you get specific questions though, fire away....
I'd start with the domain policy. Put everything in there that you want to apply to every computer on the network, (audit policies, password policies, lockout etc.). That's your baseline....
Then move down to your OU's. As long as you don't check "No Override" then the domain policy flows down so then you just need to set what you want for each OU. For example if you had machines accessible to the general public you would put them in a searate OU and lock them down pretty tight, whereas the accounting department may need a "looser" policy to allow them to do certain things.
I would just run through the entire GPO looking at what things are, what they do and if they are appropriate. If the network is live right now I would set up a test OU and put a machine with all the "odd" apps your company runs and apply the policy to it by plaing it in the test OU. Remember that machine policies only apply at reboot or on the standard check time, (default 30 mins IIRC), while user policies apply at each reboot or at standard check time. That little gem of information becomes important when you think the darned thing isn't working.... ;)
It's a good exercise and it will allow you to see what the GPO can do rather then us telling you things that may not apply in your situation and thus leave big gaps in your knowledge.
If you get specific questions though, fire away....
Using me as a template - take Tiger Sharks advice, never force a GPO on a live network without testing it. You will come in and have some pissed off people the next day while they waited around for you to show up late as usual and "unlock" everything. :D
//edit I found this very helpful while adjusting some settings recently:
Technet Article
Using me as a template - take Tiger Sharks advice, never force a GPO on a live network without testing it. You will come in and have some pissed off people the next day while they waited around for you to show up late as usual and "unlock" everything. :D
//edit I found this very helpful while adjusting some settings recently:
Technet Article
Ok, that's a start. I thank you for your help, I'm sure I'll be checking back in at some point soon!
One other thing...I don't remember which is the more effective setting...If I don't enable a policy, do I leave it as "not configured" or disable it ? I remember reading that setting takes longer to apply than the other, I just don't remember which.
Thanks,
-Murph
Ok, that's a start. I thank you for your help, I'm sure I'll be checking back in at some point soon!
One other thing...I don't remember which is the more effective setting...If I don't enable a policy, do I leave it as "not configured" or disable it ? I remember reading that setting takes longer to apply than the other, I just don't remember which.
Thanks,
-Murph