Configuration management policy in windows environment

Hey,

WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services?

Do you have such a policy in your IT environemnts? Is it documented?

Whats the risk if you dont have a config management policy?

How does it differ to change management policies?

And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy?
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
yo_beeConnect With a Mentor Director of Information TechnologyCommented:
Great questions and sorry if I repeat anything anyone else has posted prior.  I read this question before anyone replied.

<1:WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services? >
The typical settings to start with are the two default ones that are created by default.  Open GPMC (Group Policy Management Console) and click on the <domain>.Local or whatever it is called. Once expanded you will see Default Domain Policy.  You should see four tabs.  Click on settings and this will show you what is currently configured (enabled or disabled).  This is a good starting point to look at, but it is not recommended to make any modification to this GPO (Group Policy Object).  When you want to make an adjustment create a new GPO.  Right Click the OU or DC and select Create New Group Policy.

Here are some good links to read up on that help explain this
Best Practice: Active Directory Structure Guidelines – Part 1
Best Practice: Group Policy Design Guidelines – Part 2
This one is from Microsoft
Step-by-Step Guide to Understanding the Group Policy Feature Set  T
http://www.windowsecurity.com/articles/best-practices-configuring-group-policy-objects.html

There are a plethora of options to change and you can add controls like Office (2003/2007/2010) settings by just downloading the ADM(AD 2000/2003) or ADMX(AD 2008) to the GPO.  This will give you more global control of other client options.
GPO's can be targeted to security groups or even individuals.  This is something you will learn as you deal more and more with GPO)
There are two sets of settings Computer and User.  They mean exactly what they say.  A computer setting is something that will apply to anyone that connects to that computer and a User setting will just apply to the users.  So if there is a computer setting in place and you log on as a local user the GPO's that will affect that user will only be the computer base ones.

<2: Do you have such a policy in your IT environments? Is it documented?>
Always good to keep a document of these settings and changes for future reference and auditing.

<3:Whats the risk if you don’t have a config management policy?>
Your computers will all be the default settings for starters and the users will have the ability to make changes if they have access to the options.
Once a setting in applied to the client via GPO they cannot make the change to the computer.  The option becomes grayed out.

<4: How does it differ to change management policies?
Not sure what you are exactly getting at here.

<5:And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy? >
I am pretty sure there are no licensing issues with GPO.  If you took mine unknowingly I do not think you will get in any trouble.  I do not think there is any ownership to GPO

0
 
pma111Author Commented:
So config management is basically the security settings / hardening of your servers/workstations? And a maintained document of this security settings? So when new devices are brought into operation they have to be configured to this config baseline standard?
0
 
yo_beeDirector of Information TechnologyCommented:
Well put, but does not have to only apply to the Harware it can also be set to the user level.  So if there is a setting that can reside in both computer and user the computer might be a bit looser on the setting, but for certain users it has to be set to a higher level.  So you would create a GPO targeting the User group or just create a GPO for and OU and place those users in that OU to harden for them.

You can get very granular with this and target groups of computers or users by applying to specific OU's and placing those objects in the OU of choice.


0
 
yo_beeDirector of Information TechnologyCommented:
Just an FYI:
If you  are using GPMC from a Windows 7 or Server 2008 you will also have GPP (Group Policy Preferences)  
These are additional settings that can be configured and also Item Level Targeting (Filters without having to create multiple GPO's.

Note: GPP will apply a setting, but the end user will have the ability to make a change to it, while GPO settings are set from the server end and the end user has no control of it.

If you are running a mix environment with XP and W7 machinces you can have the GPP apply to the Xp machines with Client Side Extensions installed.
http://www.microsoft.com/download/en/details.aspx?id=3628
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.