Configuration management policy in windows environment

Posted on 2011-09-29
Last Modified: 2012-05-12

WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services?

Do you have such a policy in your IT environemnts? Is it documented?

Whats the risk if you dont have a config management policy?

How does it differ to change management policies?

And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy?
Question by:pma111
  • 3
LVL 22

Accepted Solution

yo_bee earned 500 total points
ID: 36814438
Great questions and sorry if I repeat anything anyone else has posted prior.  I read this question before anyone replied.

<1:WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services? >
The typical settings to start with are the two default ones that are created by default.  Open GPMC (Group Policy Management Console) and click on the <domain>.Local or whatever it is called. Once expanded you will see Default Domain Policy.  You should see four tabs.  Click on settings and this will show you what is currently configured (enabled or disabled).  This is a good starting point to look at, but it is not recommended to make any modification to this GPO (Group Policy Object).  When you want to make an adjustment create a new GPO.  Right Click the OU or DC and select Create New Group Policy.

Here are some good links to read up on that help explain this
Best Practice: Active Directory Structure Guidelines – Part 1
Best Practice: Group Policy Design Guidelines – Part 2
This one is from Microsoft
Step-by-Step Guide to Understanding the Group Policy Feature Set  T

There are a plethora of options to change and you can add controls like Office (2003/2007/2010) settings by just downloading the ADM(AD 2000/2003) or ADMX(AD 2008) to the GPO.  This will give you more global control of other client options.
GPO's can be targeted to security groups or even individuals.  This is something you will learn as you deal more and more with GPO)
There are two sets of settings Computer and User.  They mean exactly what they say.  A computer setting is something that will apply to anyone that connects to that computer and a User setting will just apply to the users.  So if there is a computer setting in place and you log on as a local user the GPO's that will affect that user will only be the computer base ones.

<2: Do you have such a policy in your IT environments? Is it documented?>
Always good to keep a document of these settings and changes for future reference and auditing.

<3:Whats the risk if you don’t have a config management policy?>
Your computers will all be the default settings for starters and the users will have the ability to make changes if they have access to the options.
Once a setting in applied to the client via GPO they cannot make the change to the computer.  The option becomes grayed out.

<4: How does it differ to change management policies?
Not sure what you are exactly getting at here.

<5:And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy? >
I am pretty sure there are no licensing issues with GPO.  If you took mine unknowingly I do not think you will get in any trouble.  I do not think there is any ownership to GPO


Author Comment

ID: 36814494
So config management is basically the security settings / hardening of your servers/workstations? And a maintained document of this security settings? So when new devices are brought into operation they have to be configured to this config baseline standard?
LVL 22

Expert Comment

ID: 36814535
Well put, but does not have to only apply to the Harware it can also be set to the user level.  So if there is a setting that can reside in both computer and user the computer might be a bit looser on the setting, but for certain users it has to be set to a higher level.  So you would create a GPO targeting the User group or just create a GPO for and OU and place those users in that OU to harden for them.

You can get very granular with this and target groups of computers or users by applying to specific OU's and placing those objects in the OU of choice.

LVL 22

Expert Comment

ID: 36968067
Just an FYI:
If you  are using GPMC from a Windows 7 or Server 2008 you will also have GPP (Group Policy Preferences)  
These are additional settings that can be configured and also Item Level Targeting (Filters without having to create multiple GPO's.

Note: GPP will apply a setting, but the end user will have the ability to make a change to it, while GPO settings are set from the server end and the end user has no control of it.

If you are running a mix environment with XP and W7 machinces you can have the GPP apply to the Xp machines with Client Side Extensions installed.

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now