+ Post New Thread
Results 1 to 4 of 4
Windows Server 2008 R2 Thread, GPO - How do you do it? in Technical; Just wondering how your GPO's shape up... 1) What do you set over machines? 2) Users a) Students b) Teaching ...
  1. #1

    Join Date
    Jan 2010
    Location
    Lincolnshire
    Posts
    87
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Question GPO - How do you do it?

    Just wondering how your GPO's shape up...

    1) What do you set over machines?
    2) Users
    a) Students
    b) Teaching Staff
    c) Admin Staff


    Reconfiguring an inherited system and wondering how "the professionals" do it!!

  2. #2

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,069
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144
    Not sure I could possibly cover the way all our GPOS work in a forum post, it's taken many months of fine tuning of policies to get what we have.

    Essentially most of them are user policies, the only machine policies are those that need to be like WSUS settings, offline file settings etc. Students policiy is very strict with a lot of settings configured, but carefully done to avoid duplicate settings - the more settings you have turned on the longer the policy takes to apply. Staff have less strict settings with only the essentials set like IE home page, proxy settings and a few others. Admin staff are the same as teaching staff, there is no difference for us.

    If you're reconfiguring an inherited system, what I would do is create an entirely seperate OU in your active directory with 1 test machine in, 1 staff user and 1 student user in seperate OU's - you can then build your new GPOs seperately from your main network and test them throughly before applying them to your active users and machines. It will take a while to fine tune them, it took me several days to get our initial configuration and I'm constantly making adjustments to improve things, plug security holes or remove restrictions that might be cuasing problems - it's a careful balancing act between locking the system down to stop the students creating havoc, but leaving enough freedom to allow the machines to be effectively used.

    Also one big tip, if you change something - back the policies up first and document what you change as you go. Ocassionally you'll change a setting and it will mess something up but you might not immediatly realise it, then you'll want to change it back, but it's not always easy to remember precisely what you changed sometimes. Also don't make too many changes in one go when troubleshooting.

    When working with Group Policies, an invaluable tool is the Group Policy Management Console (GPMC) add on which allows much better management of GPOs.

    Mike.

  3. #3

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,760
    Thank Post
    860
    Thanked 908 Times in 753 Posts
    Blog Entries
    9
    Rep Power
    330
    As a rough guide my OU structure looks something like this...

    domain root
    ......Computers
    ............Staff
    ...................Admin
    ...................Laptops
    .........................[subject ou's]
    ............Students
    ...................ICT Suites
    .........................[room ou's]
    ...................Non ICT Suites
    .........................[subject ou's]
    ......Users
    ............Staff
    ..................Admin
    .........................Finance
    ..................Teaching
    .........................[ou's by subject]
    ............Students
    ...................[ou's by year group]

    The default domain GPO is empty - all polcie settings [not enabled]. This is done intentionally. Any Computer policys that apply to everyone in the school are set in a 'default computers policy' in the 'computers' OU, and the same goes for user policies.

    Most security GPO's are set on the users OU's, with the 'students users policy' being the most restricted.

    I have six types of GPO that I assign at whatever OU level...

    Computer Security Policies [computer OU's only]
    Software Install Polcies [computer OU's only]
    Printer Assign Policies [computer OU's only]
    User Security Policies [user OU's only]
    Internet Explorer Security Policies [user OU's were possible]
    Microsoft Office Security Policies [user OU's were possible]

    I try to set policys once at as high an OU level as appropriate and then use exception policies in sub-OU's for groups that policy doesn't apply to. I also re-use GPO's in multiple OU's, especially software and printer GPO's. So my 'Art Software GPO' appears in the 'Computers/Staff/Laptops/Art', 'Computers/Students/Non ICT/Art', and 'Computers/Students/ICT' OU's. And simarly the 'Art Printers GPO' appears in the 'Computers/Staff/Laptops/Art' and 'Computers/Students/Non ICT/Art' OU's.

    With the planned move to Win 7 next year and the recent upgrade to the 2008 R2 schema, the big job over the coming months for me is to create a new OU strucuture and rewrite these policies ready for the switch.

  4. #4

    Join Date
    Jan 2010
    Location
    Lincolnshire
    Posts
    87
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    built a new server, going to promote it, transfer FSMO roles to the server & remove the old server.

    I am not really wanting all the group policies transfered yet I don't know of a way to stop this (cannot create a new domain, implications of MS Exchange are too involved at this stage).

    I think I will have to un-pick previous work unless it's possible to download the "Default Domain Policy" and "Default Domain Controllers Policy" for Windows 2008 R2 Server?

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 6th July 2010, 08:45 PM
  2. GPO Problems
    By edsa in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 23rd January 2010, 09:07 PM
  3. GPO's not working...
    By Little-Miss in forum Windows Server 2000/2003
    Replies: 8
    Last Post: 4th September 2009, 02:33 PM
  4. EZ-GPO
    By pottski in forum Windows
    Replies: 3
    Last Post: 11th December 2008, 08:52 AM
  5. GPO question
    By Newton in forum Windows
    Replies: 10
    Last Post: 15th July 2008, 10:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •