What's the best way to setup the local security policy for remote users. Meaning, I have a few people getting laptops for use off-site. I'm looking for any tips/tricks in setting up the local security policies seeing as how these won't be on the domain the majority of the time. Thanks.
Well, I manage about 200 remote users.. when I first got involved with this for our company, I wanted to put everyone on the domain so I could control these laptops, but I discovered that many would not come in for months at a time, and that caused real issues with initial logons (cached)... so, after many calls to our helpdesk, I NO LONGER join any laptops to my domain, and just deal with them individually.. I even gave up with limiting their security, and put every user into the Admin Group.. lol, eh? There comes a time that we just have to trust that the user understands the 'do's and don'ts' of using a computer...
Of course, I do timely maintenance when the users come into the office, including cking AV, making sure their firewalls are on, cleaning for various things including Spyware, etc...
You could use SCAT, create a template, and as they come in implement your policies. Then remove them from the admin group. Now this will probably cause more headache for you then the security side of things. You could also look at a tool like deepfreeze, and this will not allow them to make any system modifications. But that includes loading printers at home etc. There really isn't a good solution.
I was contemplating Fatal's way of doing things. This is how I have approached it in the past - I don't want to be woken up on Saturday b/c someone can't install I-tunes. I typically establish a local profile and a domain profile - local for them, domain for me. I make sure they bring it in to me once a month for a cleaning/updates/etc. I'm leaning away from even establishing a domain profile and just make it stand alone (which is what prompted the post). The obvious policies\settings I have so far are Auto Updates\Disk Quotas\etc - obvious stuff. I was just curious to see if anyone had a common practice that appealed to me or suggestions.
Where my worry truly lies is when I implement a VPN in the coming weeks. Obviously I want my domain GPO's to apply but I'm not quite sure how that's going to pan out.
Just so you know, every one of my remote users access our Domain via a VPN and we use Citrix for our applications... never heard of SCAT, so will await the response.. :)
Ah. never heard it called SCAT.. but have used the tool many times! by using these snap-ins, you can configure custom templates for use in the domain...
Stupid question - the literature I've found on SCAT walks me thru an setting a up a new policy - yet when I try to setup a new policy it requires a template - where would I find one? The folder it points to by default is empty.
This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.
Of course, I do timely maintenance when the users come into the office, including cking AV, making sure their firewalls are on, cleaning for various things including Spyware, etc...