Solved

Group Policy AD Management

Posted on 2010-11-29
14
440 Views
Last Modified: 2012-05-10
Is there any tips you can give for overall management of active directory and group policies to keep the whole thing in order. I can see places with hundreds of group policies all over and not havign a clue whats being applied where. Any overall tips for managment and administration of an AD to keep the house in order - opinions for AD / GP admins as opposed to links...
0
Comment
Question by:pma111
  • 5
  • 4
  • 3
  • +2
14 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
Comment Utility
Well hopefully you are using Group Policy Management console for deploying GPOs. Second I like to name  the GPOs something that will jump out to an Admin telling them what is configured within the GPO and why. Also, I keep an Excel Spreadsheet that describes each GPO, purpose of GPO, what users the GPO will be applied too, where the GPO is applied (OU).
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 200 total points
Comment Utility
There are books written on GP and really good mailing lists. I have a list of recommendations here

http://adisfun.blogspot.com/2009/07/group-policy-recomendations.html

The main thing I'd say is get to know the Group Policy Management console as that will be your main place for working with group policies.  

I'd also say don't have too many cooks in the "group policy kitchen" try to limit the number of people working on GPOs.

...and the most important thing is always test a setting/change first before deploying into production.

Thanks

Mike
0
 
LVL 10

Assisted Solution

by:moon_blue69
moon_blue69 earned 100 total points
Comment Utility
HI

1. First thing I would suggest, study the business structure and understand what is required
2. Group Computers and Users and bring them under different OU's as per requirement.
3. Now apply group policy at the OU level.
4. If its domain wide. add a new policy at the domain level
5. 4. If its Site wide. add a new policy at the site level.

Remember the policy processing order

local->site->domain->ou.

In case of a conflict the closest one to the object will win. Otherwise its cumulative

Hope this helps
0
 
LVL 12

Assisted Solution

by:jjmartineziii
jjmartineziii earned 100 total points
Comment Utility
To me, GP orgranization is all about naming.

I name my GPOs like this:
<sitename > - <scope> - <type> - <name>

Example:
Branch Office - Site - Policy - Software Restrictions
Branch Office - Rm215 - Software - Adobe Reader


This helps me determine exactly what a GPO has at a glance.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Is there any security issues that are managed through group policy outside your typical domain password policy? if so can anyone give some examples on security issues that are managed through group policy?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
There are a lot of security issues that can be managed via group policy,

file permissions, user rights assignments, assigning local admins, event log policies, locking down the user experience (programs they can run, drives they can see, etc)

You can do almost anything with a GPO (even more powerful with group policy preferences)

Thanks

Mike
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Tons of things can be applied through a GPO Security being one of the biggest.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Not over familiar with the term "!user rights assignments". Any pointers? Prefer comments to links but thanks everyone.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
user rights assignments are elevated rights like "act as part of the operating system" , "allow logon locally"

There is an entire list,  I'm going to provide a link to them because I don't feel like typing them all out :)


http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

Thanks

Mike
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Finally can you give me some ideas and practical examples (a few different ones would be good) on what type of group policy would be applied to an OU as opposed to a domain, what type of GP would be applied to a site as opposed to an ou etc. I just read up on the hierarchy but it would help put it into perspective what types of policies are typically applied at one level as opposed to the others. And also where do forests come into it?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
We don't use site linked GPOs where I am and they are not used as widely in general but suppose you wanted everyone in your remote site to have the same GPO you could link the GPO at the site level.

One common example of applying to an OU is if you split out your OUs by department (accounting, HR, etc).  If you only want HR users to get a policy you would link it to that OU.  You can also use something known as security filtering to restrict who receives an OU.  

If you want every user to get the setting (assuming it is a user based GPO) then you link it at the domain level.

Forests don't really come into play in terms of OU linking.  You can't link a GPO at the forest level.  Not sure what you were looking for though (in terms of forest info)

Thansk

Mike
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks mike, what type of gpo would your hour get that your accoutancy wouldn't? Can you provide some examples?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
In our case currently all our users get the same lockdowns.

A better example may be if you have developers.  You may not want as strict lockdowns on their PCs....or maybe on your PCs (the admins)

For example I may want developers and admins to have access to the command prompt but not necessarily HR or accounting users.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now