Solved

Group Policy AD Management

Posted on 2010-11-29
14
446 Views
Last Modified: 2012-05-10
Is there any tips you can give for overall management of active directory and group policies to keep the whole thing in order. I can see places with hundreds of group policies all over and not havign a clue whats being applied where. Any overall tips for managment and administration of an AD to keep the house in order - opinions for AD / GP admins as opposed to links...
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
14 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 34231115
Well hopefully you are using Group Policy Management console for deploying GPOs. Second I like to name  the GPOs something that will jump out to an Admin telling them what is configured within the GPO and why. Also, I keep an Excel Spreadsheet that describes each GPO, purpose of GPO, what users the GPO will be applied too, where the GPO is applied (OU).
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 200 total points
ID: 34231117
There are books written on GP and really good mailing lists. I have a list of recommendations here

http://adisfun.blogspot.com/2009/07/group-policy-recomendations.html

The main thing I'd say is get to know the Group Policy Management console as that will be your main place for working with group policies.  

I'd also say don't have too many cooks in the "group policy kitchen" try to limit the number of people working on GPOs.

...and the most important thing is always test a setting/change first before deploying into production.

Thanks

Mike
0
 
LVL 10

Assisted Solution

by:moon_blue69
moon_blue69 earned 100 total points
ID: 34231172
HI

1. First thing I would suggest, study the business structure and understand what is required
2. Group Computers and Users and bring them under different OU's as per requirement.
3. Now apply group policy at the OU level.
4. If its domain wide. add a new policy at the domain level
5. 4. If its Site wide. add a new policy at the site level.

Remember the policy processing order

local->site->domain->ou.

In case of a conflict the closest one to the object will win. Otherwise its cumulative

Hope this helps
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 12

Assisted Solution

by:jjmartineziii
jjmartineziii earned 100 total points
ID: 34232202
To me, GP orgranization is all about naming.

I name my GPOs like this:
<sitename > - <scope> - <type> - <name>

Example:
Branch Office - Site - Policy - Software Restrictions
Branch Office - Rm215 - Software - Adobe Reader


This helps me determine exactly what a GPO has at a glance.
0
 
LVL 3

Author Comment

by:pma111
ID: 34232216
Is there any security issues that are managed through group policy outside your typical domain password policy? if so can anyone give some examples on security issues that are managed through group policy?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232245
There are a lot of security issues that can be managed via group policy,

file permissions, user rights assignments, assigning local admins, event log policies, locking down the user experience (programs they can run, drives they can see, etc)

You can do almost anything with a GPO (even more powerful with group policy preferences)

Thanks

Mike
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34232272
Tons of things can be applied through a GPO Security being one of the biggest.
0
 
LVL 3

Author Comment

by:pma111
ID: 34232423
Not over familiar with the term "!user rights assignments". Any pointers? Prefer comments to links but thanks everyone.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34232487
user rights assignments are elevated rights like "act as part of the operating system" , "allow logon locally"

There is an entire list,  I'm going to provide a link to them because I don't feel like typing them all out :)


http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34233003
Finally can you give me some ideas and practical examples (a few different ones would be good) on what type of group policy would be applied to an OU as opposed to a domain, what type of GP would be applied to a site as opposed to an ou etc. I just read up on the hierarchy but it would help put it into perspective what types of policies are typically applied at one level as opposed to the others. And also where do forests come into it?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34233435
We don't use site linked GPOs where I am and they are not used as widely in general but suppose you wanted everyone in your remote site to have the same GPO you could link the GPO at the site level.

One common example of applying to an OU is if you split out your OUs by department (accounting, HR, etc).  If you only want HR users to get a policy you would link it to that OU.  You can also use something known as security filtering to restrict who receives an OU.  

If you want every user to get the setting (assuming it is a user based GPO) then you link it at the domain level.

Forests don't really come into play in terms of OU linking.  You can't link a GPO at the forest level.  Not sure what you were looking for though (in terms of forest info)

Thansk

Mike
0
 
LVL 3

Author Comment

by:pma111
ID: 34233473
Thanks mike, what type of gpo would your hour get that your accoutancy wouldn't? Can you provide some examples?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34233573
In our case currently all our users get the same lockdowns.

A better example may be if you have developers.  You may not want as strict lockdowns on their PCs....or maybe on your PCs (the admins)

For example I may want developers and admins to have access to the command prompt but not necessarily HR or accounting users.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question