?
Solved

Is there a planning tool for implementing Group Policies?

Posted on 2006-05-12
14
Medium Priority
?
237 Views
Last Modified: 2010-04-18
We're in the process of implementing group policies (for the first time) on a small network.  The network consists of the following:

- About 25 workstations (Windows XP Pro)
- 5 laptops (Windows XP Pro)
- 3 servers (Windows Server 2003 Std)
- Single Active Directory domain
- At least 3 groups of people that need different group policies defined for them

Is there a tool that helps in the planning process to define the policies for the groups of people.  We know about the GP templates, the Resultant Set of Policies tool, and pretty much all the other Microsoft GP related tools.

By the way, we're going to be using ScriptLogic's Desktop Authority to implement and maintain the group policies.

I'm assigning the max points to this because this is a difficult topic and we need to get it done quickly.

Thanks in advance for your help.

ARite
0
Comment
Question by:arnorite
  • 8
  • 5
14 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16668653
Hi arnorite,

1) a best practices guide
http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html

2) you need to look at what YOU want out of group policy :)

are you looking for standardisation
are you looking for restriction
are you looking for folder redirection to a central point
are you looking for roaming profiles
are you looking for security

based on those questions, you can begin to formulate a guideline for your own standards

each company has different requirements and demands for GPO - looking at what you wish to acheive will start you on your path :)

i will help any way i can of course!
0
 
LVL 7

Expert Comment

by:krakken
ID: 16668732
There's also the group policy management console.

It's great for planning, since you can do simulations based on users and computers.
Plus it summarizes the results.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16668754
the simulations are basically the same as RSOP
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:arnorite
ID: 16668755
Thanks,

From a business perspective we know what we want.  This includes:

- Standardization
- Restriction/Security
- Logon scripts
- Software deployment

We also are using DFS, so folder redirection is not an issue at this point.

Everything we have looked at addresses technical issues.  It's been very difficult to find something that can address the business rules and convert them to the technical configuration.  This applies to any documentation we've found so far, too.

Does this help?

Thanks,

ARite
0
 

Author Comment

by:arnorite
ID: 16668772
By the way, I have looked at this

1) a best practices guide
http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html

and again, it has nothing to do with business rules.

Thanks
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16668799
Standardisation - i reccomend setting one policy across the board outlining desktop and the actual "viewing" that a user gets, majority of these settings are set under your start menu and taskbar policies

Security - most of the time i add these to the same policy as above, affectively standardising security as wwll, ie, all internet explorer settings and conrtol panel access

Logon scripts - much better applied to a user account

software deployment - create these as a seperate OU for sure and decide on publishing or Assigning
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16668806
that link is purely a best practice on overall GPO's nothing more
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16668820
one more point, avoid changing the default domain policies and also apply your polcies to OU's rather than at the root level
0
 

Author Comment

by:arnorite
ID: 16668895
Thanks, but this is not what I'm looking for.  Buisiness Rules to technical config is what we want.  Example:

- Business Rule: 'Group 1' users can't logoff from the workstation

- GP Config: 'Start Menu and Taskbar' | 'Remove Logoff on the Start Menu' = Enabled

Hopefully this clears up what I want.

Thanks
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16668921
there is no business rules as such, this is what i am getting at, each business has to define themselves what they want out of it

for example, business A that i work with say that they restict the desktop completely, no shutdown, no log off, no desktop properties

business B on the other hand says, no control panel, no properties context of my computer, and forced classic menus

two different businesses, two different set of rules, each based on what they want
0
 

Author Comment

by:arnorite
ID: 16669176
I know they're different for each business.  I don't want templates.  I want to be able to identify how to restrict/allow features at a business level, not at a geek level.

Another Example:

Business Rule: Turn Off Internet Access for a specific group of users that I will identify
GP Config: the GP settings I need to impelement

Some businesses may say 'I want everyone' to have full Internet access' or 'I want Internet access to a select set of sites'.  These all deal with the same issue, Internet access.  Obviously different businesses will want different configurations for Internet access.  So for planning, I want to restrict Internet access, then what are the specific GP settings that need to be set for this?  That's what I'm looking for.  And not just Internet access, but all the things that GP affects.

Is there a tool, documentation, web site, company, whatever that can do this?

0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 2000 total points
ID: 16671850
this reference provides very gpo, a description and the reg keys they hit

http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en

sorry if i didnt get what you were trying to say
0
 

Author Comment

by:arnorite
ID: 16674506
Thanks for that last response, Jay_Jay70!  It looks like it's the closest thing I'm going to get to what I want.  With a little work, I think I can get the questions answered that I'm looking for.

Thanks again,

ARite
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16676104
no problem at all

James
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question