<

Improve company productivity with a Business Account.Sign Up

x

Working With Group Policy

Published on
4,476 Points
1,476 Views
Last Modified:
Philip Elder
Philip is a Technical Architect specializing in high availability solutions for SMB/SME businesses and hosting companies.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lot of time with Jeremy Moskowitz's GP books.
In Active Directory Users and Computers all new non-DC systems get dropped into the Computers CONTAINER. It is _not_ an OU. Thus we can't create and link a GPO there.

Group Policy is similar in its application as CSS (Cascading Style Sheets) is for HTML. That means that in a given OU structure the GPO and its settings closest to the AD object applies. ENFORCE creates a bit of a caveat depending on the settings.

Here's how we tend to set our OU and GPOs (our blog post).

We use the Add-Computer PowerShell with the -OUPath switch to drop all new systems into their respective OU. Once they reboot they then pick up the appropriate settings for them. Besides OU membership as a form of GPO focus we also use WMI filtering when the GPO is linked closer to the Domain.Com root.

We create the Group Policy Central Store for all of our deployments. It is required for our Ransomware security structures that are defined via Office ADMX but also makes updating the ADMX files for say Windows 10 simple in multi-DC settings.

One thing to be aware of in all this is Group Policy Tattoos. Just because we unlink or remove settings in a GPO does _not_ mean those settings stop applying at the endpoint. We always test our GPO configuration in a lab setting way before thinking about deploying in production.

Finally, why do we not edit the two default policies? Because, if something breaks how do we figure out what caused the break? With the settings in their own GPO we can edit or unlink the GPO while troubleshooting. We've encountered lots of broken Group Policy that were a result of changes made to the two default GPOs.
0
Comment
0 Comments

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Join & Write a Comment

The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month