Solved

Configuration management policy in windows environment

Posted on 2011-09-29
4
221 Views
Last Modified: 2012-05-12
Hey,

WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services?

Do you have such a policy in your IT environemnts? Is it documented?

Whats the risk if you dont have a config management policy?

How does it differ to change management policies?

And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy?
0
Comment
Question by:pma111
  • 3
4 Comments
 
LVL 21

Accepted Solution

by:
yo_bee earned 500 total points
Comment Utility
Great questions and sorry if I repeat anything anyone else has posted prior.  I read this question before anyone replied.

<1:WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services? >
The typical settings to start with are the two default ones that are created by default.  Open GPMC (Group Policy Management Console) and click on the <domain>.Local or whatever it is called. Once expanded you will see Default Domain Policy.  You should see four tabs.  Click on settings and this will show you what is currently configured (enabled or disabled).  This is a good starting point to look at, but it is not recommended to make any modification to this GPO (Group Policy Object).  When you want to make an adjustment create a new GPO.  Right Click the OU or DC and select Create New Group Policy.

Here are some good links to read up on that help explain this
Best Practice: Active Directory Structure Guidelines – Part 1
Best Practice: Group Policy Design Guidelines – Part 2
This one is from Microsoft
Step-by-Step Guide to Understanding the Group Policy Feature Set  T
http://www.windowsecurity.com/articles/best-practices-configuring-group-policy-objects.html

There are a plethora of options to change and you can add controls like Office (2003/2007/2010) settings by just downloading the ADM(AD 2000/2003) or ADMX(AD 2008) to the GPO.  This will give you more global control of other client options.
GPO's can be targeted to security groups or even individuals.  This is something you will learn as you deal more and more with GPO)
There are two sets of settings Computer and User.  They mean exactly what they say.  A computer setting is something that will apply to anyone that connects to that computer and a User setting will just apply to the users.  So if there is a computer setting in place and you log on as a local user the GPO's that will affect that user will only be the computer base ones.

<2: Do you have such a policy in your IT environments? Is it documented?>
Always good to keep a document of these settings and changes for future reference and auditing.

<3:Whats the risk if you don’t have a config management policy?>
Your computers will all be the default settings for starters and the users will have the ability to make changes if they have access to the options.
Once a setting in applied to the client via GPO they cannot make the change to the computer.  The option becomes grayed out.

<4: How does it differ to change management policies?
Not sure what you are exactly getting at here.

<5:And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy? >
I am pretty sure there are no licensing issues with GPO.  If you took mine unknowingly I do not think you will get in any trouble.  I do not think there is any ownership to GPO

0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So config management is basically the security settings / hardening of your servers/workstations? And a maintained document of this security settings? So when new devices are brought into operation they have to be configured to this config baseline standard?
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Well put, but does not have to only apply to the Harware it can also be set to the user level.  So if there is a setting that can reside in both computer and user the computer might be a bit looser on the setting, but for certain users it has to be set to a higher level.  So you would create a GPO targeting the User group or just create a GPO for and OU and place those users in that OU to harden for them.

You can get very granular with this and target groups of computers or users by applying to specific OU's and placing those objects in the OU of choice.


0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Just an FYI:
If you  are using GPMC from a Windows 7 or Server 2008 you will also have GPP (Group Policy Preferences)  
These are additional settings that can be configured and also Item Level Targeting (Filters without having to create multiple GPO's.

Note: GPP will apply a setting, but the end user will have the ability to make a change to it, while GPO settings are set from the server end and the end user has no control of it.

If you are running a mix environment with XP and W7 machinces you can have the GPP apply to the Xp machines with Client Side Extensions installed.
http://www.microsoft.com/download/en/details.aspx?id=3628
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now