Solved

Basic Group Policy Setup Recommendation

Posted on 2010-11-15
9
854 Views
Last Modified: 2012-05-10
Hi Guys

I'm just setting up a completely new Domain and was wondering how I should start with the Group Policies.
Which Group Policies should I definitely use, how should I seperate these? What is best practise?

Obviously I need password policy, redirected folders Policy and stuff like that. Whatelse can you think of.

Thanks in advance.
0
Comment
Question by:Dan-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 63 total points
ID: 34135161
You should not customize the Default Domain Policy and Default Domain Controller Policy. Leave them as they are.

Create new GPO's with informative names that describes what their intention is.

ie. GPO-FolderRedirection (where you define folder redir.)
ie. GPO-SetHomePage (where you define the IE homepage)

Regarding password policy, here is a good description: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en

If you don't have many GPO's you could seperate User GPOs apart from Computer GPOs.

If you have multiple domain controllers, you could configure the time with a GPO:
http://adfordummiez.com/?p=67

Take regular backups of your GPO:
http://adfordummiez.com/?p=43


0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34135169
Since you have 2008 R2 you could use Group Policy Prefrences to ie. map network drives, printers etc.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&displaylang=en
0
 
LVL 4

Expert Comment

by:added_flavour
ID: 34135198
Hi,

I totally agree with SAGE here . Default domain and default domain controllers policies will be there in your domain as soon as you will promote the first domain controller in the domain and they will be applying most of the group policies automatically like your password policy and few security policies as well .

In order to change the Password policy you have to change it on default domain policy until and unless you have multiple password policies in your domain like in 2008 functional level domains .

You should not create new group policies unless its required . I would suggest to give every policy a good reference name as suggested by SAGE. it will actually make your administration easier .

For health Check ups i would suggest to monitor FIle Replication Service logs regularly you can use ULTRASOUND ( microsoft tool-just search in google) to monitor the health of sysvol which actully carries the policies.

Thanks !!!

0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 125 total points
ID: 34135230
If you are interested in learning GPO, follow the below article.

http://www.grouppolicy.biz/2010/07/best-practice-group-policy-design-guidelines-part-2/

Few more things which i would like to mention, never apply GPO at site level,the reason is its very difficult to troubleshoot.

http://www.grouppolicy.biz/?s=folder+redirection

You use single password policy applied at domain level or if you have your domain & forest functional level set to windows 2008, you can use fine grained policy for specific groups.

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx
http://www.specopssoft.com/documentation/specops-password-policy-basic-documentation

You can use central store to store ADMX instead of ADM file which grows creating new GPO.
http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34135244
added_flavour: Looks like he builds his domain on 2008 R2 so he'll be using DFSR and not FRS. Ultrasound monitors FRS ;)
0
 
LVL 4

Assisted Solution

by:added_flavour
added_flavour earned 62 total points
ID: 34135362
Oh wow !!!

 it would be really nice if he is using functional level 2008 . At least he would be enjoying Remote Differential Client  and several other benefits as No group policy morphing ,DFS Replication is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the DFS Replication database.

However, DFS Replication has its own set of monitoring and diagnostics tools.

There are a number of ways to monitor replication:

DFS Replication has a management pack for System Center Operations Manager 2007 that provides proactive monitoring.

DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group.

Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. Propagation shows you if files are being replicated to all nodes. Backlog shows you how many files still need to replicate before two computers are in sync. The backlog count is the number of updates that a replication group member has not processed. On computers running Windows Server 2008 R2, Dfsrdiag.exe can also display the updates that DFS Replication is currently replicating.

Scripts can use WMI to collect backlog information—manually or through MOM /SCOM

PS: These are benefits and Monitoring Suggestions  ;)

@ Snusgubben : thanks for correcting me  ;) cheers !!

Thanks  !!
0
 

Author Comment

by:Dan-IT
ID: 34135441
WOW! So manny replies. Thanks guys.
In fact we will be using functional level 2008 and yes I'm really looking forward to the features this provides.

I was actually looking for Group policy settings I must not forget. Like DNS suffix and things like that.

All your replies are very good and I'm looking at the links now.

Thanks a lot

0
 
LVL 4

Expert Comment

by:added_flavour
ID: 34135504
Hi,

Applying Group Policy actually depends on your requirement. If you need folder redirection you can user folder redirection policy and etc.etc
If you are looking for the reference that what all group policies and setting you can apply then Please download the following reference file and take a look at it :

Group Policy Settings Reference for Windows and Windows Server:

https://www.microsoft.com/downloads/en/details.aspx?familyid=18C90C80-8B0A-4906-A4F5-FF24CC2030FB&displaylang=en

Thanks !!
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 125 total points
ID: 34135661
The skill required to implement minimum GPO with maximum effect, that's the perfection & expectation from an Expert.

There is loads of new enhancements & features are available in windows 2008 as well as 2008 R2,in order to squeeze max,you require client with Windows 7,so that all the windows GPo feature can be implemented.

There is actually no best practice in implementing or creating GPO,its your skill which makes it simple & lesser, so that even other admin can work w/o much hardwork.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question