Solved

Configuration management policy in windows environment

Posted on 2011-09-29
4
223 Views
Last Modified: 2012-05-12
Hey,

WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services?

Do you have such a policy in your IT environemnts? Is it documented?

Whats the risk if you dont have a config management policy?

How does it differ to change management policies?

And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy?
0
Comment
Question by:pma111
  • 3
4 Comments
 
LVL 22

Accepted Solution

by:
yo_bee earned 500 total points
ID: 36814438
Great questions and sorry if I repeat anything anyone else has posted prior.  I read this question before anyone replied.

<1:WHat does a "configuration management" policy typically include when talking about windows workstations/servers/directory services? >
The typical settings to start with are the two default ones that are created by default.  Open GPMC (Group Policy Management Console) and click on the <domain>.Local or whatever it is called. Once expanded you will see Default Domain Policy.  You should see four tabs.  Click on settings and this will show you what is currently configured (enabled or disabled).  This is a good starting point to look at, but it is not recommended to make any modification to this GPO (Group Policy Object).  When you want to make an adjustment create a new GPO.  Right Click the OU or DC and select Create New Group Policy.

Here are some good links to read up on that help explain this
Best Practice: Active Directory Structure Guidelines – Part 1
Best Practice: Group Policy Design Guidelines – Part 2
This one is from Microsoft
Step-by-Step Guide to Understanding the Group Policy Feature Set  T
http://www.windowsecurity.com/articles/best-practices-configuring-group-policy-objects.html

There are a plethora of options to change and you can add controls like Office (2003/2007/2010) settings by just downloading the ADM(AD 2000/2003) or ADMX(AD 2008) to the GPO.  This will give you more global control of other client options.
GPO's can be targeted to security groups or even individuals.  This is something you will learn as you deal more and more with GPO)
There are two sets of settings Computer and User.  They mean exactly what they say.  A computer setting is something that will apply to anyone that connects to that computer and a User setting will just apply to the users.  So if there is a computer setting in place and you log on as a local user the GPO's that will affect that user will only be the computer base ones.

<2: Do you have such a policy in your IT environments? Is it documented?>
Always good to keep a document of these settings and changes for future reference and auditing.

<3:Whats the risk if you don’t have a config management policy?>
Your computers will all be the default settings for starters and the users will have the ability to make changes if they have access to the options.
Once a setting in applied to the client via GPO they cannot make the change to the computer.  The option becomes grayed out.

<4: How does it differ to change management policies?
Not sure what you are exactly getting at here.

<5:And if you outsource your support and hosting of windows workstations/servers/AD - do you (internal) or your 3rd party (outsourced hoster and supplier) own the config mgmt policy? >
I am pretty sure there are no licensing issues with GPO.  If you took mine unknowingly I do not think you will get in any trouble.  I do not think there is any ownership to GPO

0
 
LVL 3

Author Comment

by:pma111
ID: 36814494
So config management is basically the security settings / hardening of your servers/workstations? And a maintained document of this security settings? So when new devices are brought into operation they have to be configured to this config baseline standard?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 36814535
Well put, but does not have to only apply to the Harware it can also be set to the user level.  So if there is a setting that can reside in both computer and user the computer might be a bit looser on the setting, but for certain users it has to be set to a higher level.  So you would create a GPO targeting the User group or just create a GPO for and OU and place those users in that OU to harden for them.

You can get very granular with this and target groups of computers or users by applying to specific OU's and placing those objects in the OU of choice.


0
 
LVL 22

Expert Comment

by:yo_bee
ID: 36968067
Just an FYI:
If you  are using GPMC from a Windows 7 or Server 2008 you will also have GPP (Group Policy Preferences)  
These are additional settings that can be configured and also Item Level Targeting (Filters without having to create multiple GPO's.

Note: GPP will apply a setting, but the end user will have the ability to make a change to it, while GPO settings are set from the server end and the end user has no control of it.

If you are running a mix environment with XP and W7 machinces you can have the GPP apply to the Xp machines with Client Side Extensions installed.
http://www.microsoft.com/download/en/details.aspx?id=3628
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question