Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Configuration management policy in windows environment

Posted on 2011-09-29
Medium Priority
Last Modified: 2012-05-12

WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services?

Do you have such a policy in your IT environemnts? Is it documented?

Whats the risk if you dont have a config management policy?

How does it differ to change management policies?

And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 23

Accepted Solution

yo_bee earned 2000 total points
ID: 36814438
Great questions and sorry if I repeat anything anyone else has posted prior.  I read this question before anyone replied.

<1:WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services? >
The typical settings to start with are the two default ones that are created by default.  Open GPMC (Group Policy Management Console) and click on the <domain>.Local or whatever it is called. Once expanded you will see Default Domain Policy.  You should see four tabs.  Click on settings and this will show you what is currently configured (enabled or disabled).  This is a good starting point to look at, but it is not recommended to make any modification to this GPO (Group Policy Object).  When you want to make an adjustment create a new GPO.  Right Click the OU or DC and select Create New Group Policy.

Here are some good links to read up on that help explain this
Best Practice: Active Directory Structure Guidelines – Part 1
Best Practice: Group Policy Design Guidelines – Part 2
This one is from Microsoft
Step-by-Step Guide to Understanding the Group Policy Feature Set  T

There are a plethora of options to change and you can add controls like Office (2003/2007/2010) settings by just downloading the ADM(AD 2000/2003) or ADMX(AD 2008) to the GPO.  This will give you more global control of other client options.
GPO's can be targeted to security groups or even individuals.  This is something you will learn as you deal more and more with GPO)
There are two sets of settings Computer and User.  They mean exactly what they say.  A computer setting is something that will apply to anyone that connects to that computer and a User setting will just apply to the users.  So if there is a computer setting in place and you log on as a local user the GPO's that will affect that user will only be the computer base ones.

<2: Do you have such a policy in your IT environments? Is it documented?>
Always good to keep a document of these settings and changes for future reference and auditing.

<3:Whats the risk if you don’t have a config management policy?>
Your computers will all be the default settings for starters and the users will have the ability to make changes if they have access to the options.
Once a setting in applied to the client via GPO they cannot make the change to the computer.  The option becomes grayed out.

<4: How does it differ to change management policies?
Not sure what you are exactly getting at here.

<5:And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy? >
I am pretty sure there are no licensing issues with GPO.  If you took mine unknowingly I do not think you will get in any trouble.  I do not think there is any ownership to GPO


Author Comment

ID: 36814494
So config management is basically the security settings / hardening of your servers/workstations? And a maintained document of this security settings? So when new devices are brought into operation they have to be configured to this config baseline standard?
LVL 23

Expert Comment

ID: 36814535
Well put, but does not have to only apply to the Harware it can also be set to the user level.  So if there is a setting that can reside in both computer and user the computer might be a bit looser on the setting, but for certain users it has to be set to a higher level.  So you would create a GPO targeting the User group or just create a GPO for and OU and place those users in that OU to harden for them.

You can get very granular with this and target groups of computers or users by applying to specific OU's and placing those objects in the OU of choice.

LVL 23

Expert Comment

ID: 36968067
Just an FYI:
If you  are using GPMC from a Windows 7 or Server 2008 you will also have GPP (Group Policy Preferences)  
These are additional settings that can be configured and also Item Level Targeting (Filters without having to create multiple GPO's.

Note: GPP will apply a setting, but the end user will have the ability to make a change to it, while GPO settings are set from the server end and the end user has no control of it.

If you are running a mix environment with XP and W7 machinces you can have the GPP apply to the Xp machines with Client Side Extensions installed.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question