Local SecPol for remote users

Well, I manage about 200 remote users..  when I first got involved with this for our company, I wanted to put everyone on the domain so I could control these laptops, but I discovered that many would not come in for months at a time, and that caused real issues with initial logons (cached)... so, after many calls to our helpdesk, I NO LONGER join any laptops to my domain, and just deal with them individually..  I even gave up with limiting their security, and put every user into the Admin Group..  lol, eh?  There comes a time that we just have to trust that the user understands the 'do's and don'ts' of using a computer...

Of course, I do timely maintenance when the users come into the office, including cking AV, making sure their firewalls are on, cleaning for various things including Spyware, etc...

You could use SCAT, create a template, and as they come in implement your policies.  Then remove them from the admin group.  Now this will probably cause more headache for you then the security side of things.  You could also look at a tool like deepfreeze, and this will not allow them to make any system modifications.  But that includes loading printers at home etc.  There really isn't a good solution.

I was contemplating Fatal's way of doing things. This is how I have approached it in the past - I don't want to be woken up on Saturday b/c someone can't install I-tunes. I typically establish a local profile and a domain profile - local for them, domain for me. I make sure they bring it in to me once a month for a cleaning/updates/etc. I'm leaning away from even establishing a domain profile and just make it stand alone (which is what prompted the post). The obvious policies\settings I have so far are Auto Updates\Disk Quotas\etc - obvious stuff. I was just curious to see if anyone had a common practice that appealed to me or suggestions.

Where my worry truly lies is when I implement a VPN in the coming weeks. Obviously I want my domain GPO's to apply but I'm not quite sure how that's going to pan out.

Also, what is SCAT? I'm not familiar with it....

Just so you know, every one of my remote users access our Domain via a VPN and we use Citrix for our applications...  never heard of SCAT, so will await the response..  :)

I'll be doing something similar but just using TS - we really only have one application they need to access.

http://www.governmentsecurity.org/articles/Step-by-StepGuidetoUsingtheSecurityConfigurationToolSet.php

SCAT stands for Security Configuration and Analysis Tool

It is access by start..run..mmc.  add remove snap ins

It is how you can configure some security settings.  Maybe not everything you really need but some.

Ah. never heard it called SCAT..  but have used the tool many times!  by using these snap-ins, you can configure custom templates for use in the domain...  

Thanks, Chris...

Stupid question - the literature I've found on SCAT walks me thru an setting a up a new policy - yet when I try to setup a new policy it requires a template - where would I find one? The folder it points to by default is empty.

Thanks, and hope we helped!

FE