arnorite
asked on
Is there a planning tool for implementing Group Policies?
We're in the process of implementing group policies (for the first time) on a small network. The network consists of the following:
- About 25 workstations (Windows XP Pro)
- 5 laptops (Windows XP Pro)
- 3 servers (Windows Server 2003 Std)
- Single Active Directory domain
- At least 3 groups of people that need different group policies defined for them
Is there a tool that helps in the planning process to define the policies for the groups of people. We know about the GP templates, the Resultant Set of Policies tool, and pretty much all the other Microsoft GP related tools.
By the way, we're going to be using ScriptLogic's Desktop Authority to implement and maintain the group policies.
I'm assigning the max points to this because this is a difficult topic and we need to get it done quickly.
Thanks in advance for your help.
ARite
- About 25 workstations (Windows XP Pro)
- 5 laptops (Windows XP Pro)
- 3 servers (Windows Server 2003 Std)
- Single Active Directory domain
- At least 3 groups of people that need different group policies defined for them
Is there a tool that helps in the planning process to define the policies for the groups of people. We know about the GP templates, the Resultant Set of Policies tool, and pretty much all the other Microsoft GP related tools.
By the way, we're going to be using ScriptLogic's Desktop Authority to implement and maintain the group policies.
I'm assigning the max points to this because this is a difficult topic and we need to get it done quickly.
Thanks in advance for your help.
ARite
There's also the group policy management console.
It's great for planning, since you can do simulations based on users and computers.
Plus it summarizes the results.
It's great for planning, since you can do simulations based on users and computers.
Plus it summarizes the results.
the simulations are basically the same as RSOP
ASKER
Thanks,
From a business perspective we know what we want. This includes:
- Standardization
- Restriction/Security
- Logon scripts
- Software deployment
We also are using DFS, so folder redirection is not an issue at this point.
Everything we have looked at addresses technical issues. It's been very difficult to find something that can address the business rules and convert them to the technical configuration. This applies to any documentation we've found so far, too.
Does this help?
Thanks,
ARite
From a business perspective we know what we want. This includes:
- Standardization
- Restriction/Security
- Logon scripts
- Software deployment
We also are using DFS, so folder redirection is not an issue at this point.
Everything we have looked at addresses technical issues. It's been very difficult to find something that can address the business rules and convert them to the technical configuration. This applies to any documentation we've found so far, too.
Does this help?
Thanks,
ARite
ASKER
By the way, I have looked at this
1) a best practices guide
http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html
and again, it has nothing to do with business rules.
Thanks
1) a best practices guide
http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html
and again, it has nothing to do with business rules.
Thanks
Standardisation - i reccomend setting one policy across the board outlining desktop and the actual "viewing" that a user gets, majority of these settings are set under your start menu and taskbar policies
Security - most of the time i add these to the same policy as above, affectively standardising security as wwll, ie, all internet explorer settings and conrtol panel access
Logon scripts - much better applied to a user account
software deployment - create these as a seperate OU for sure and decide on publishing or Assigning
Security - most of the time i add these to the same policy as above, affectively standardising security as wwll, ie, all internet explorer settings and conrtol panel access
Logon scripts - much better applied to a user account
software deployment - create these as a seperate OU for sure and decide on publishing or Assigning
that link is purely a best practice on overall GPO's nothing more
one more point, avoid changing the default domain policies and also apply your polcies to OU's rather than at the root level
ASKER
Thanks, but this is not what I'm looking for. Buisiness Rules to technical config is what we want. Example:
- Business Rule: 'Group 1' users can't logoff from the workstation
- GP Config: 'Start Menu and Taskbar' | 'Remove Logoff on the Start Menu' = Enabled
Hopefully this clears up what I want.
Thanks
- Business Rule: 'Group 1' users can't logoff from the workstation
- GP Config: 'Start Menu and Taskbar' | 'Remove Logoff on the Start Menu' = Enabled
Hopefully this clears up what I want.
Thanks
there is no business rules as such, this is what i am getting at, each business has to define themselves what they want out of it
for example, business A that i work with say that they restict the desktop completely, no shutdown, no log off, no desktop properties
business B on the other hand says, no control panel, no properties context of my computer, and forced classic menus
two different businesses, two different set of rules, each based on what they want
for example, business A that i work with say that they restict the desktop completely, no shutdown, no log off, no desktop properties
business B on the other hand says, no control panel, no properties context of my computer, and forced classic menus
two different businesses, two different set of rules, each based on what they want
ASKER
I know they're different for each business. I don't want templates. I want to be able to identify how to restrict/allow features at a business level, not at a geek level.
Another Example:
Business Rule: Turn Off Internet Access for a specific group of users that I will identify
GP Config: the GP settings I need to impelement
Some businesses may say 'I want everyone' to have full Internet access' or 'I want Internet access to a select set of sites'. These all deal with the same issue, Internet access. Obviously different businesses will want different configurations for Internet access. So for planning, I want to restrict Internet access, then what are the specific GP settings that need to be set for this? That's what I'm looking for. And not just Internet access, but all the things that GP affects.
Is there a tool, documentation, web site, company, whatever that can do this?
Another Example:
Business Rule: Turn Off Internet Access for a specific group of users that I will identify
GP Config: the GP settings I need to impelement
Some businesses may say 'I want everyone' to have full Internet access' or 'I want Internet access to a select set of sites'. These all deal with the same issue, Internet access. Obviously different businesses will want different configurations for Internet access. So for planning, I want to restrict Internet access, then what are the specific GP settings that need to be set for this? That's what I'm looking for. And not just Internet access, but all the things that GP affects.
Is there a tool, documentation, web site, company, whatever that can do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that last response, Jay_Jay70! It looks like it's the closest thing I'm going to get to what I want. With a little work, I think I can get the questions answered that I'm looking for.
Thanks again,
ARite
Thanks again,
ARite
no problem at all
James
James
1) a best practices guide
http://www.windowsnetworking.com/articles_tutorials/Best-Practices-Designing-Group-Policy.html
2) you need to look at what YOU want out of group policy :)
are you looking for standardisation
are you looking for restriction
are you looking for folder redirection to a central point
are you looking for roaming profiles
are you looking for security
based on those questions, you can begin to formulate a guideline for your own standards
each company has different requirements and demands for GPO - looking at what you wish to acheive will start you on your path :)
i will help any way i can of course!