Server Configuration. GPO?

Hi,

We have a medium sized office operating from a win2k3 SBS server.

What I would like to achieve is define & apply different security policies (e.g. screen saver time out, disabling of administrative shares etc) to servers compared to those policies pushed out to workstations.

We currently push policies out based on user groups in AD using GPO, but would like to have a separate policy for server machines (regardless of which user is Remote Desktop or TS'd in).

Thanks in advance,
Roger AdamsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
If your policies are based on group membership of the users, you will get conflicting GPOs if you also start applying policies to machines (servers).  A better approach is to probably use machine based GPO and keep your servers in separate OUs or groups.

http://rdsrc.us/4ghGWC

This is an Article I wrote on this site discussing the philosophies of GPO restrictions.  It may be of benefit to you.

DrUtlima
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Roger AdamsAuthor Commented:
Thanks Dr, for the advice and link to your article.

So just to ensure I understand you correctly:
In terms of rolling out the GPO`s: you recommend scrapping using user groups to role out GPO's & building computer groups in AD? i.e. adding new computers to a 'client computers' group as & when they are deployed, adding servers in a separate 'company servers' group & applying separate GPO`s to each group?

Thanks
0
Justin OwensITIL Problem ManagerCommented:
If it was me, I would use OU membership rather than group membership.  Have all your workstations in one OU.  Have all your servers in a different OU (which you could break out further with Sub OUs to single out things like Exchange, SQL, or Terminal Services).  I prefer to not tie GPO to group membership at all.

DrUltima
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Roger AdamsAuthor Commented:
Great, thanks for the advice.

Currently all domained computers reside in the 'computers' (what looks like an) OU.

To move the server machines into a new 'servers' OU I have created, is it simply a drag & drop in AD? Or is a script required? been skimming some articles online, but thought I`d seek you expert opinion as to what the implications are...

Thanks again
0
Justin OwensITIL Problem ManagerCommented:
Drag and drop with the GUI.  You can script it, yes.  I wouldn't bother, though.  You just need to make sure you don't move special machines, like DCs.  In your search, change Find: to Computers and then Servers and Workstations as the Role.  See attached image....
ADUC Find ComputerLet me know if you have any questions.

DrUltima
0
Roger AdamsAuthor Commented:
What if one of the servers I was intending to move is a DC? =) How best to approach that?
0
Justin OwensITIL Problem ManagerCommented:
DO NOT EVER MOVE A DC OUT OF ITS PROTECTED OU.  I normally don't like to come across shouting, but this is a great way to completely break AD.  It can be done, yes.  But, if not done perfectly, you will have a gigantic mess on your hands.  Just leave the DCs well enough alone.  No one should be remotely logging into them other than Domain Admins, anyway.  I was assuming you were trying to apply these policies to a machine other than your SBS.

DrUltima
0
Roger AdamsAuthor Commented:
Okay, so how about the reverse.

Creating an OU called 'workstations', dragging & dropping all workstations out of the default 'computer' OU into it... does that appear okay?
0
Justin OwensITIL Problem ManagerCommented:
Yup, that would be fine. :)
0
Roger AdamsAuthor Commented:
Thanks very much! I`ll start playing...

While I have your jedi-wisdom tuned in: would the same apply to users? i.e. Can I simply drag & drop users into new OU's? Do they still remain linked to their groups they were linked to in the previous OU? or do the groups need to be created again in the new OU? etc.

(In case you hadn`t realised: we have been operating a small AD with no custom OU`s & now start to see the benefit & are looking at implementing them for the first time...)

0
Justin OwensITIL Problem ManagerCommented:
OU and Groups have no linkage whatsoever (except in the case of a few protected groups, like Domain Admins, Enterprise Admins, etc.).  It is generally safe to move them around as you have need.  GPOs are linked at a certain level and traverse down.  Security filters using groups would require the GPO to be applied to every OU in which the users/computers reside which utilize that group.  It can get confusing, which is why I recommend one or the other, but not both.  My personal preference is OU level rather than group security filtering.

Remember, these are not the droids you are looking for....

DrUltima
0
Roger AdamsAuthor Commented:
Makes sense, thanks very much....
Final question... I understand a user may only be in one OU at a time, is that correct?

If so, how does one approach a situation where:
I create an 'employees' OU. Create a sub-OU for 'finance' and 'admin'. Users network drives & printers are mapped at login time according to their OU membership, using a login script.

What if someone in finance works on the admin team a few days in the week & needs access to the admin drives? In Group security I would simply have added them to the group & bang, next login they would have both the drives...

Traveling through hyperspace ain't like dusting crops, boy.
0
Justin OwensITIL Problem ManagerCommented:
You are comparing apples to oranges....

Your single login script can easily mitigate that by analyzing group membership.  Remember that you cannot set NTFS permission from OU membership.  That comes from group membership.  I would have a single OU for employees and then use group membership to handle drive mapping.

DrUltima
0
Roger AdamsAuthor Commented:
Thanks the help mate.

May the force be with you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.