Group Policy AD Management

Is there any tips you can give for overall management of active directory and group policies to keep the whole thing in order. I can see places with hundreds of group policies all over and not havign a clue whats being applied where. Any overall tips for managment and administration of an AD to keep the house in order - opinions for AD / GP admins as opposed to links...
LVL 3
pma111Asked:
Who is Participating?
 
Mike KlineConnect With a Mentor Commented:
There are books written on GP and really good mailing lists. I have a list of recommendations here

http://adisfun.blogspot.com/2009/07/group-policy-recomendations.html

The main thing I'd say is get to know the Group Policy Management console as that will be your main place for working with group policies.  

I'd also say don't have too many cooks in the "group policy kitchen" try to limit the number of people working on GPOs.

...and the most important thing is always test a setting/change first before deploying into production.

Thanks

Mike
0
 
Darius GhassemConnect With a Mentor Commented:
Well hopefully you are using Group Policy Management console for deploying GPOs. Second I like to name  the GPOs something that will jump out to an Admin telling them what is configured within the GPO and why. Also, I keep an Excel Spreadsheet that describes each GPO, purpose of GPO, what users the GPO will be applied too, where the GPO is applied (OU).
0
 
moon_blue69Connect With a Mentor Commented:
HI

1. First thing I would suggest, study the business structure and understand what is required
2. Group Computers and Users and bring them under different OU's as per requirement.
3. Now apply group policy at the OU level.
4. If its domain wide. add a new policy at the domain level
5. 4. If its Site wide. add a new policy at the site level.

Remember the policy processing order

local->site->domain->ou.

In case of a conflict the closest one to the object will win. Otherwise its cumulative

Hope this helps
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jjmartineziiiConnect With a Mentor Commented:
To me, GP orgranization is all about naming.

I name my GPOs like this:
<sitename > - <scope> - <type> - <name>

Example:
Branch Office - Site - Policy - Software Restrictions
Branch Office - Rm215 - Software - Adobe Reader


This helps me determine exactly what a GPO has at a glance.
0
 
pma111Author Commented:
Is there any security issues that are managed through group policy outside your typical domain password policy? if so can anyone give some examples on security issues that are managed through group policy?
0
 
Mike KlineCommented:
There are a lot of security issues that can be managed via group policy,

file permissions, user rights assignments, assigning local admins, event log policies, locking down the user experience (programs they can run, drives they can see, etc)

You can do almost anything with a GPO (even more powerful with group policy preferences)

Thanks

Mike
0
 
Darius GhassemCommented:
Tons of things can be applied through a GPO Security being one of the biggest.
0
 
pma111Author Commented:
Not over familiar with the term "!user rights assignments". Any pointers? Prefer comments to links but thanks everyone.
0
 
Mike KlineCommented:
user rights assignments are elevated rights like "act as part of the operating system" , "allow logon locally"

There is an entire list,  I'm going to provide a link to them because I don't feel like typing them all out :)


http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx

Thanks

Mike
0
 
pma111Author Commented:
Finally can you give me some ideas and practical examples (a few different ones would be good) on what type of group policy would be applied to an OU as opposed to a domain, what type of GP would be applied to a site as opposed to an ou etc. I just read up on the hierarchy but it would help put it into perspective what types of policies are typically applied at one level as opposed to the others. And also where do forests come into it?
0
 
Mike KlineCommented:
We don't use site linked GPOs where I am and they are not used as widely in general but suppose you wanted everyone in your remote site to have the same GPO you could link the GPO at the site level.

One common example of applying to an OU is if you split out your OUs by department (accounting, HR, etc).  If you only want HR users to get a policy you would link it to that OU.  You can also use something known as security filtering to restrict who receives an OU.  

If you want every user to get the setting (assuming it is a user based GPO) then you link it at the domain level.

Forests don't really come into play in terms of OU linking.  You can't link a GPO at the forest level.  Not sure what you were looking for though (in terms of forest info)

Thansk

Mike
0
 
pma111Author Commented:
Thanks mike, what type of gpo would your hour get that your accoutancy wouldn't? Can you provide some examples?
0
 
Mike KlineCommented:
In our case currently all our users get the same lockdowns.

A better example may be if you have developers.  You may not want as strict lockdowns on their PCs....or maybe on your PCs (the admins)

For example I may want developers and admins to have access to the command prompt but not necessarily HR or accounting users.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.