Pau Lo
asked on
Group Policy AD Management
Is there any tips you can give for overall management of active directory and group policies to keep the whole thing in order. I can see places with hundreds of group policies all over and not havign a clue whats being applied where. Any overall tips for managment and administration of an AD to keep the house in order - opinions for AD / GP admins as opposed to links...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are a lot of security issues that can be managed via group policy,
file permissions, user rights assignments, assigning local admins, event log policies, locking down the user experience (programs they can run, drives they can see, etc)
You can do almost anything with a GPO (even more powerful with group policy preferences)
Thanks
Mike
file permissions, user rights assignments, assigning local admins, event log policies, locking down the user experience (programs they can run, drives they can see, etc)
You can do almost anything with a GPO (even more powerful with group policy preferences)
Thanks
Mike
Tons of things can be applied through a GPO Security being one of the biggest.
ASKER
Not over familiar with the term "!user rights assignments". Any pointers? Prefer comments to links but thanks everyone.
user rights assignments are elevated rights like "act as part of the operating system" , "allow logon locally"
There is an entire list, I'm going to provide a link to them because I don't feel like typing them all out :)
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx
Thanks
Mike
There is an entire list, I'm going to provide a link to them because I don't feel like typing them all out :)
http://technet.microsoft.com/en-us/library/cc780182(WS.10).aspx
Thanks
Mike
ASKER
Finally can you give me some ideas and practical examples (a few different ones would be good) on what type of group policy would be applied to an OU as opposed to a domain, what type of GP would be applied to a site as opposed to an ou etc. I just read up on the hierarchy but it would help put it into perspective what types of policies are typically applied at one level as opposed to the others. And also where do forests come into it?
We don't use site linked GPOs where I am and they are not used as widely in general but suppose you wanted everyone in your remote site to have the same GPO you could link the GPO at the site level.
One common example of applying to an OU is if you split out your OUs by department (accounting, HR, etc). If you only want HR users to get a policy you would link it to that OU. You can also use something known as security filtering to restrict who receives an OU.
If you want every user to get the setting (assuming it is a user based GPO) then you link it at the domain level.
Forests don't really come into play in terms of OU linking. You can't link a GPO at the forest level. Not sure what you were looking for though (in terms of forest info)
Thansk
Mike
One common example of applying to an OU is if you split out your OUs by department (accounting, HR, etc). If you only want HR users to get a policy you would link it to that OU. You can also use something known as security filtering to restrict who receives an OU.
If you want every user to get the setting (assuming it is a user based GPO) then you link it at the domain level.
Forests don't really come into play in terms of OU linking. You can't link a GPO at the forest level. Not sure what you were looking for though (in terms of forest info)
Thansk
Mike
ASKER
Thanks mike, what type of gpo would your hour get that your accoutancy wouldn't? Can you provide some examples?
In our case currently all our users get the same lockdowns.
A better example may be if you have developers. You may not want as strict lockdowns on their PCs....or maybe on your PCs (the admins)
For example I may want developers and admins to have access to the command prompt but not necessarily HR or accounting users.
A better example may be if you have developers. You may not want as strict lockdowns on their PCs....or maybe on your PCs (the admins)
For example I may want developers and admins to have access to the command prompt but not necessarily HR or accounting users.
ASKER