Re: Good group policy management within an organisation

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/14/04 

Date: Wed, 14 Jul 2004 22:14:45 GMT

Sounds good. Keep in mind that your firewall configuration can also be a major
contributor to users not using unauthorized internet applications. Either try to use
a default block all outbound access rule and then create the exceptions for
authorized traffic. If your firewall can not do that, consider getting another one as
they have really dropped in price and $350 can get you a good SOHO unit. Otherwise
see if your existing one can at least block some outbound traffic - even the $80
routers from Neatger, Linksys, etc can do a pretty good job of that these days. Good
luck. --- Steve

"steŠ" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
news:2llmf7Feh8ncU1@uni-berlin.de...
> Thanks for that again Steve, and I'll take note of your two approaches.
> I've only added some basic global policies at the moment, but will start to
> add more on a development PC using a test user account. The overall aim is
> to only let people do and use what they need for the job. Hopefully, the
> days of getting paid to chat on Yahoo Messenger all day are over... ;-)
>
> Thanks,
>
> Ste
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:ViYIc.46653$WX.6481@attbi_s51...
> | Sounds like you have a grasp of things. When you create a Group Policy
> [GPO] you can
> | "link" it to more than one container/OU. The highest GPO takes precedence
> with
> | defined settings. You could either create two sub OU's within your level 1
> OU and
> | simply create the GPO you want for each sub OU and put users into the
> appropriate OU
> | and Group Policy would flow down through the sub OU's. Or you could have
> three OU's
> | and then have the low restriction policy level linked to each OU with
> additional GPO
> | for second level OU and all three GPO's linked the third level OU with
> high
> | restrictions with the OU specific to that OU at the top of the list. ---
> Steve
> |
> |
> | "steŠ" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | news:2lj0itFcojrcU2@uni-berlin.de...
> | > Thanks for the reply and advice Steven. At the moment, I've disabled
> the
> | > computer parts of the group policies because I'm only specifying user
> | > policies, and I read in a book that this helps to speed up the
> application
> | > of these policies when the user logs on.
> | >
> | > When I set OU's such as Level 1, 2, & 3, they are basically the same as
> | > Employees, Managers, Admins; it's just that I'm naming them differently.
> | > What I'd like to do is to set up a level 1 policy (low restriction),
> then
> | > copy this policy to a brand new policy in level 2 - I could then have a
> | > starting point to go on from, rather than enforce everything I'd done in
> | > level 1 first, then add my next restrictions in level 2.
> | >
> | > At the moment, my active directory of users and computers is like this:
> | >
> | > mycompany (domain, and contains the unedited default domain policy)
> | > > MyCompanyPolicies (OU containing my global policies)
> | > > Level 1 (low restrictions)
> | > > Level 2 (medium restrictions)
> | > > Level 3 (high restrictions)
> | >
> | > I assume that I'm on the right track with this (?), but will keep
> reading
> | > the links and other resources that I find.
> | >
> | > Thanks,
> | >
> | > Ste
> | >
> | >
> | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> | > news:h1AIc.62169$a24.33684@attbi_s03...
> | > | Keep in mind there are two parts to Group Policy - computer and user
> and
> | > that they
> | > | need to reside in the container where the policy is applied. Also for
> | > domain users,
> | > | password/account policy can only be applied at the domain level. OU
> policy
> | > that has
> | > | "defined" settings will override the same settings defined at the
> domain
> | > level. If
> | > | there is a setting defined at the domain level and not at the OU
> level,
> | > the setting
> | > | will still apply to a user/computer in the OU in a default
> installation.
> | > |
> | > | You may want to consider setting global polices that you want to apply
> to
> | > everyone at
> | > | the domain level and then use your three OU's and name them something
> | > appropriate
> | > | that distinguishes each by a role that applies to your office -
> | > | employees/managers/admins etc. or sales/admin/production etc. ---
> Steve
> | > |
> | > |
> | >
> http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
> | > |
> | >
> |
>
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
> | > |
> | > | "steŠ" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
> | > | > Hi there,
> | > | >
> | > | > I'm about to start applying Group Policies to our network (1 server
> and
> | > 8
> | > | > users) as it's currently an open system that's facing a lot of
> abuse.
> | > | >
> | > | > However, I'm looking for some ideas on managing this, and in
> particular,
> | > how
> | > | > I should be arranging the OU's, being just a single small office.
> | > | >
> | > | > I've thought about having an OU that had global policies, then have
> | > three
> | > | > separate OU's that contained Level 1, 2 and 3 polices of differing
> | > degrees
> | > | > of group policies (low, medium, high). But if I do this, I'm
> finding
> | > that
> | > | > it's difficult to remember what each Level contains, and it's
> getting
> | > quite
> | > | > messy.
> | > | >
> | > | > Are there any websites that show some good practice and organisation
> for
> | > | > this?
> | > | >
> | > | > Thanks for any help, it's appreciated.
> | > | >
> | > | > Regards,
> | > | >
> | > | > Stephen
> | > | >
> | > | >
> | > |
> | > |
> | >
> | >
> |
> |
>
>

Relevant Pages

  • Re: Setting up XP with no networking or internet
    ... Seree, don't worry...you didn't offend at all! ... Thanks Steve for understanding I was only trying to help. ... > you would create a situation in which these computers are unable to connect ... >> Hi Dennis, hey I am not an expert either, but have you heard of Group Policy? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Setting up XP with no networking or internet
    ... Thanks Steve for understanding I was only trying to help. ... > That works only if the computers are in fact domain joined. ... then group policy won't help -- anyone who can log in as a local administrator can undo it all. ... > network enviroment. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Event ID 1058
    ... Failing SYSVOL replication problems may cause ... client machine's "AD users and groups" group policy comes up and I am able to ... > Steve Duff, MCSE, MVP ...
    (microsoft.public.win2000.dns)
  • Re: Error Messages 1058 and 1030
    ... "Steve" wrote in message ... > I'm getting the following error messages on Win2003 Server Standard Edition. ... > Windows cannot query for the list of Group Policy objects. ... There are no other servers on the domain as it is a small network. ...
    (microsoft.public.windows.server.general)
  • Re: New Computer on Domain cannot connect to Internet
    ... Is your firewall configuration being handled through Group Policy? ... Administrator accounts are not immune to Group Policy that is being thrown their way. ... Jack Doyle, Systems Engineer ...
    (microsoft.public.windows.server.networking)