Solved

Group Policy Implementation

Posted on 2008-10-11
10
1,084 Views
Last Modified: 2012-05-05
Recently it was decided to allow a small group of administrators, not in the original building of our 2003 AD domain to begin to implement Group Policy.  Currently, the entire domain is a Windows functional level 2003\Forrest functional 2003.  It is made up of 1 domain and 6 OU's.  Something like below.  When looking at AD Users and computers, the domain D1.net has the 6 OU's below.  Each of the OU's represent geographical locations, so OU1 - OU4 are "field" locations, the DCOU is located in a Central Office as is the TESTOU as seen somewhat poorly below.
                                                                                             
                                                                                                D1.net
                                                                                                  ===
                                                                   ou1   ou2    DCOU   ou3  ou4  TESTOU

to make it more confusing, each OU in the field has all their users, computers, and servers located at their respective sites, whcih can be 100's of different locations.  Each of the servers is built with VMWare, so the DC for each site is inside a virtual machine.  These Virtual DC's are all located in the DCOU, not the "field" OU's.

After looking at AD Sites and Services, I found that every DC controller is a separate site, reflecting their physical location in the field, so instead of 1 site, or just 4, we have 100's of sites.  

Now for the question.  Before we can do anything, we have to be given the proper Admin priveleges, which is in the works.  But using the following from microsoft that Group Policy is processed from local, site, domain, and then OU and that the computer or user receives the policy settings fo the last AD container processed, that is, a policy appliced later overwrites policy appliced earlier, I need to know the following:

If you write a domain policy, then an OU policy, the OU policy would overwrite that policy since it is the last applied(assuming they are the same settings being applied)?
If you are the lowly computer user, which would be the local policy and have a site policy and domain policy and OU policy, then you potentially have 4 different policies that could conflict with each other?
I assume that all policy decisions need to be made as a group, the settings written down so that conflicit does not happen and of course tested in the TESTOU for damage and effect.
Should the policies be applied from the domain say for all common policies, then from the OU for local OU or regional policies, and then from the sites for just policies to affect a single site?
Should you create a different group for AD policies to implement rather than using the domain admins, thus removing potential policy overwrite problems?
Just curious, but why does the OU policy apply last, shouldn't it be local, site, OU, domain?  What's the reason here?

Or did I miss the boat entirely and
Or is there a best practice(s) when applying these group policies that should be adhered to?

Any guidance is helpful before we jump into the fire with both feet and disaster happens!!
0
Comment
Question by:dgore1
  • 5
  • 5
10 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 22694816
Hi,

"If you write a domain policy, then an OU policy, the OU policy would overwrite that policy since it is the last applied(assuming they are the same settings being applied)?"

Yes, only if there are conflicting settings in each policy.  If the settings in each policy do ont conflict, then both will be applied.  Exception is if the loopback function is enabled.

"If you are the lowly computer user, which would be the local policy and have a site policy and domain policy and OU policy, then you potentially have 4 different policies that could conflict with each other?"

Yes, it is possible.  I would document every policy setting and delegate the task to central admin or admins that can help coordinate and shape policy tasks.  I would NOT let local admins start writing their own policies all together.

"Should the policies be applied from the domain say for all common policies, then from the OU for local OU or regional policies, and then from the sites for just policies to affect a single site?"

Since you are planning to have a DC in each site,  I would skip the idea of site-related GPOs all together.  Committee and centralized administration for GPOs are the best option providing those admins are willing to listen to other users with regards to GPO.  Domain replication will bring the GPOs to every site.  One thing you want to avoid is have GPO-processing traffic crossing WAN links.

"Should you create a different group for AD policies to implement rather than using the domain admins, thus removing potential policy overwrite problems?"

I would keep the admin groups at their defaults and just control access.  OU admins can be delegated access to their places in active directory w/o having to be a domain admin.  Having one or two admins do all of the GPO work will reduce the chance of overwriting and conflict.

"Just curious, but why does the OU policy apply last, shouldn't it be local, site, OU, domain?  What's the reason here?"

Active directory users log into and are authenticated by the domain and not the OU.  The domain has to let the user in before their home OU can be determined.

I would test everything you plan to implement in your TESTOU before setting it loose on the domain.

/F



0
 

Author Comment

by:dgore1
ID: 22695165
Thanks for helping on the questions, but I'm still confused to a certain extent.  One of our people said that the "site" policies would only affect a single site.  But from what I'm seeing and reading, plus what you have explained that is not the case.

If they set a site policy it and no other policies are in effect then the site policy is inherited.  But is this for just the single site with its' own DC or do the other sites inherit this policy as well?  In our scenario, in some of our OU's we have 20 to 25 sites on average.  So when we setup a site policy, can they affect other sites?

This is where I get confused.  To me it is more logical this way:

Domain ---------> OU  ----------------> Site ---------------->(where site is the individual site location)  This means to me that the site policy, if it exists is overwritten by the OU, which in turn can be overwritten by the Domain.  

but what everything I'm reading is telling me it's

Site ---------------> Domain -----------------> OU----------------->  which would indicate that the site which is the local physical site, is overridden by the domain policy(if it exists and conflicts), and then overwritten by the OU if it exists and conflicts.  Thus you could have multiple policies implemented that are cumulative....

As another example, say I wanted the following at site A....I wanted to restrict all users to remove the RUN command.  So I set this policy at the site level for only this site since it can be different for other sites(they will have to decide on whether RUN is critical or not and have the group responsible for applying the policies to document and implement).

then we need to have all computers in the Domain with pop up blocker turned off, security logs set to 1mb with overwrite.  once again then this is turned over to the correct group for documentation etc.

finally we need each OU to have their own background per OU...so this is set.

Since no policies conflict all 3 will be applied.  But we have to track 3 sets of policies.  what would be better setting them all at the OU?

Also, if we logon to the domain, why are the local and site applied before domain?  That makes it sound like it should be domain ---->OU-----> Site-------> Local...

And if we test things in the TESTOU, how does that protect the domain if like in the situation above where we need three different policies, we can test in the testou for the site and OU but would need the domain to finalize the testing...which would in turn cause all OU's to receive those policies...sheeeezzz this gets confusing.

Sorry for all the questions, but just confused.  It's slowly sinking in...and thanks for all the help so far...

0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 22695232
domain-based computers process GPOs in the following order; Local, Site, Domain and OU.  A default GPO is created for the domain and is applied to all member of the domain after the default local GPO is applied to each computer.  There are no default GPOs created at the site and OU levels.  The Domain Controllers GPO has it's own, more secure template in-place, but that is it.

Site GPOs, when defined, apply to all objects in that site as it is listed in Active Directory Sites & Services.

"Also, if we logon to the domain, why are the local and site applied before domain?  That makes it sound like it should be domain ---->OU-----> Site-------> Local..."

The local GPO will be applied first because there is no network connection needed and not all Windows computers that process GPOs are connected to a domain.  Local GPOs can be used t osecure non-domain PCs or kiosks.

I would place the GPO settings that all users in the domain need at the domain level GPO.  Group-specific settings can be defined at their respective OUs.

The ACLs for the GPOs can be modified so that only certain groups, say those in your test OU, will receive the policy settings and no one else.  The permissions of "Read" and "Apply Group Policy" are required for the GPO to apply properly.

I hope I am helping.


0
 

Author Comment

by:dgore1
ID: 22695350
yes, immensely....

So, in our case we have a site that lists only a computer that is a DC..so If I set a GPO for that site, it will  or will not affect all the computers that are located in that site? or only affect the DC?(our sites are all broken up by respective subnets in this manner:  Router ------> 2003 Server broken into 2 versions:  2003 member server which houses a VM DC....-------> up to 300 workstations.

We would like to remove the RUN for all 300 computers in that site, so is the above correct thinking?
Or will the site policy also affect every other computer in the domain since it is applied site ---->domain -----> OU?

I agree with the domain for all at the domain level...Should we restrict the polcies for each individual OU so they can keep their policies separate?....trying to figure out which policies an OU would need that wouldn't be domain necessary....like maybe different backgroup screens, screen saver times etc?

This still is very confusing...some books say this, others point this way....seems even microsoft has different statements...
thanks for all you have provided...hopefully I'm gonna get this before you get tired of typing!

0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 22695937
A GPO set upon a site will affect all of those machines in that site, including DCs.  DCs also have their own GPO applied to them from the Domain Controllers OU.  Each site which is defined in Active Directory needs to have a subnet associated with it, for replication purposes.

If all of your clients are in the same OU, the run command could be removed from a GPO placed at the OU level or the site level.  It's up to you.

Typically one site is covered by one domain.  If not for anything else other than to control domain replication traffic across WAN links.  A design like you are suggesting should have one or more DCs in each site, or consider making each site it's own domain with a forest root domain in the head office.

I don't think you want replication to occur and have to converge across WAN links every time some changes a password, or is may a member of a group.

Try to think of it like this.  Higher up in the GPO processing list, you want to define as general of a list of settings that everyone needs, as possible.  At the bottom, define the specific settings that all users may not need.

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:dgore1
ID: 22697274
OK...hmmm...I think I'm getting closer to the final questions...

The way we have it setup is that inside of each OU are all the member servers and workstations.  Instead of one site per domain, and we only have 1 domain, and we have hundreds of sites that when I look at them have just  the dc's.  Each of these then have the subnets listed within their properties...to replicate to...

So, I looked again today...my site is called DG1, under it is servers, the the DC, then NTDS settings as below:
                                                                       |
                                                                        ___Servers
                                                                                         |
                                                                                          ____DCDG1
                                                                                                           |
                                                                                                            _____NTDS settings

When I looked at the subnets, we have 5 listed, ours and 4 others....

So what you are saying is that if we change a single site group policies, IE, my site, it affects all items in the subnets, correct?   And based upon our site structure, it would then replicate to all other sites in the subnets, which is not what we want.  We just want the site with the same router, DC, member server and single subnet(each of our sites have their own single subnet) to be affected.

Is there a way to do this?

I guess what the stumbling block is here is that I can see the domain policy being general, the OU being a little more specific, but the site to me should be the individual subnets and affect only them.

Is there hope?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 22697659
I would make it so that the sites are defined in active directory first, with the proper subnet, domain controller and replication schedule.  Active directory replication between sites does not occur automatically.  Try to keep one subnet per site.  I have never had the need to define more than one subnet per site, so I cannot comment exactly on how that would work.

Is this design already in play somewhere?  If so, then you should make the best effort to maximize it's capability with what you already have.  If not, I would go the route of defining each site as it's own domain and keeping all of those domains in the same forest.


0
 

Author Comment

by:dgore1
ID: 22698299
unfortuneately, Microsoft already set this up and is active...with over 100 sites, 15K computers, 100 DC's 1 Domain 6 OU's etc...

From what we have been discussing, I see no way of doing a group policy at the site level...this would replicate, which is set to 15 minutes I believe, to all the subnets in the site(which each seem to be different...some have 1 subnet, while others have about 5)....

I also found that in some cases, 1 site is responsible for other sites, in other words we are there domain controller for logon authentication...so the subnets are actually referring to the physical sites....which means that if you were trying to just replicate to a single site, it wouldn't happen...all the other subnets would get it as well...correct?

Also, you cannot do group policy to individuals or groups of users, correct?

Would the best way be to break the 6 OU's which each house about 30 or so physical sites, into their own OU's inside the 6 OU's?  That way we could process group policy to just a single OU and affect only that OU, correct?

Your thoughts?
0
 
LVL 27

Accepted Solution

by:
Jason Watkins earned 500 total points
ID: 22698548
I think that would best be reserved for a separate question.  From what it seems, I have answered your original question and then some.

Good luck with whatever design you choose to go toward.

/F
0
 

Author Closing Comment

by:dgore1
ID: 31505301
Great job!!  thanks for the advise!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now