Solved

Basic Group Policy Setup Recommendation

Posted on 2010-11-15
9
849 Views
Last Modified: 2012-05-10
Hi Guys

I'm just setting up a completely new Domain and was wondering how I should start with the Group Policies.
Which Group Policies should I definitely use, how should I seperate these? What is best practise?

Obviously I need password policy, redirected folders Policy and stuff like that. Whatelse can you think of.

Thanks in advance.
0
Comment
Question by:Dan-IT
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 63 total points
ID: 34135161
You should not customize the Default Domain Policy and Default Domain Controller Policy. Leave them as they are.

Create new GPO's with informative names that describes what their intention is.

ie. GPO-FolderRedirection (where you define folder redir.)
ie. GPO-SetHomePage (where you define the IE homepage)

Regarding password policy, here is a good description: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en

If you don't have many GPO's you could seperate User GPOs apart from Computer GPOs.

If you have multiple domain controllers, you could configure the time with a GPO:
http://adfordummiez.com/?p=67

Take regular backups of your GPO:
http://adfordummiez.com/?p=43


0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34135169
Since you have 2008 R2 you could use Group Policy Prefrences to ie. map network drives, printers etc.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en
0
 
LVL 4

Expert Comment

by:added_flavour
ID: 34135198
Hi,

I totally agree with SAGE here . Default domain and default domain controllers policies will be there in your domain as soon as you will promote the first domain controller in the domain and they will be applying most of the group policies automatically like your password policy and few security policies as well .

In order to change the Password policy you have to change it on default domain policy until and unless you have multiple password policies in your domain like in 2008 functional level domains .

You should not create new group policies unless its required . I would suggest to give every policy a good reference name as suggested by SAGE. it will actually make your administration easier .

For health Check ups i would suggest to monitor FIle Replication Service logs regularly you can use ULTRASOUND ( microsoft tool-just search in google) to monitor the health of sysvol which actully carries the policies.

Thanks !!!

0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 125 total points
ID: 34135230
If you are interested in learning GPO, follow the below article.

http://www.grouppolicy.biz/2010/07/best-practice-group-policy-design-guidelines-part-2/

Few more things which i would like to mention, never apply GPO at site level,the reason is its very difficult to troubleshoot.

http://www.grouppolicy.biz/?s=folder+redirection

You use single password policy applied at domain level or if you have your domain & forest functional level set to windows 2008, you can use fine grained policy for specific groups.

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx
http://www.specopssoft.com/documentation/specops-password-policy-basic-documentation

You can use central store to store ADMX instead of ADM file which grows creating new GPO.
http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 21

Expert Comment

by:snusgubben
ID: 34135244
added_flavour: Looks like he builds his domain on 2008 R2 so he'll be using DFSR and not FRS. Ultrasound monitors FRS ;)
0
 
LVL 4

Assisted Solution

by:added_flavour
added_flavour earned 62 total points
ID: 34135362
Oh wow !!!

 it would be really nice if he is using functional level 2008 . At least he would be enjoying Remote Differential Client  and several other benefits as No group policy morphing ,DFS Replication is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the DFS Replication database.

However, DFS Replication has its own set of monitoring and diagnostics tools.

There are a number of ways to monitor replication:

DFS Replication has a management pack for System Center Operations Manager 2007 that provides proactive monitoring.

DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group.

Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. Propagation shows you if files are being replicated to all nodes. Backlog shows you how many files still need to replicate before two computers are in sync. The backlog count is the number of updates that a replication group member has not processed. On computers running Windows Server 2008 R2, Dfsrdiag.exe can also display the updates that DFS Replication is currently replicating.

Scripts can use WMI to collect backlog information—manually or through MOM /SCOM

PS: These are benefits and Monitoring Suggestions  ;)

@ Snusgubben : thanks for correcting me  ;) cheers !!

Thanks  !!
0
 

Author Comment

by:Dan-IT
ID: 34135441
WOW! So manny replies. Thanks guys.
In fact we will be using functional level 2008 and yes I'm really looking forward to the features this provides.

I was actually looking for Group policy settings I must not forget. Like DNS suffix and things like that.

All your replies are very good and I'm looking at the links now.

Thanks a lot

0
 
LVL 4

Expert Comment

by:added_flavour
ID: 34135504
Hi,

Applying Group Policy actually depends on your requirement. If you need folder redirection you can user folder redirection policy and etc.etc
If you are looking for the reference that what all group policies and setting you can apply then Please download the following reference file and take a look at it :

Group Policy Settings Reference for Windows and Windows Server:

https://www.microsoft.com/downloads/en/details.aspx?familyid=18C90C80-8B0A-4906-A4F5-FF24CC2030FB&displaylang=en

Thanks !!
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 125 total points
ID: 34135661
The skill required to implement minimum GPO with maximum effect, that's the perfection & expectation from an Expert.

There is loads of new enhancements & features are available in windows 2008 as well as 2008 R2,in order to squeeze max,you require client with Windows 7,so that all the windows GPo feature can be implemented.

There is actually no best practice in implementing or creating GPO,its your skill which makes it simple & lesser, so that even other admin can work w/o much hardwork.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now