Sign in with
Sign up | Sign in
Your question

Good group policy management within an organisation

Last response: in Windows 2000/NT
Share
Anonymous
July 12, 2004 5:42:27 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi there,

I'm about to start applying Group Policies to our network (1 server and 8
users) as it's currently an open system that's facing a lot of abuse.

However, I'm looking for some ideas on managing this, and in particular, how
I should be arranging the OU's, being just a single small office.

I've thought about having an OU that had global policies, then have three
separate OU's that contained Level 1, 2 and 3 polices of differing degrees
of group policies (low, medium, high). But if I do this, I'm finding that
it's difficult to remember what each Level contains, and it's getting quite
messy.

Are there any websites that show some good practice and organisation for
this?

Thanks for any help, it's appreciated.

Regards,

Stephen
Anonymous
July 12, 2004 9:39:25 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Keep in mind there are two parts to Group Policy - computer and user and that they
need to reside in the container where the policy is applied. Also for domain users,
password/account policy can only be applied at the domain level. OU policy that has
"defined" settings will override the same settings defined at the domain level. If
there is a setting defined at the domain level and not at the OU level, the setting
will still apply to a user/computer in the OU in a default installation.

You may want to consider setting global polices that you want to apply to everyone at
the domain level and then use your three OU's and name them something appropriate
that distinguishes each by a role that applies to your office -
employees/managers/admins etc. or sales/admin/production etc. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/...
http://www.microsoft.com/resources/documentation/window...

"ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
> Hi there,
>
> I'm about to start applying Group Policies to our network (1 server and 8
> users) as it's currently an open system that's facing a lot of abuse.
>
> However, I'm looking for some ideas on managing this, and in particular, how
> I should be arranging the OU's, being just a single small office.
>
> I've thought about having an OU that had global policies, then have three
> separate OU's that contained Level 1, 2 and 3 polices of differing degrees
> of group policies (low, medium, high). But if I do this, I'm finding that
> it's difficult to remember what each Level contains, and it's getting quite
> messy.
>
> Are there any websites that show some good practice and organisation for
> this?
>
> Thanks for any help, it's appreciated.
>
> Regards,
>
> Stephen
>
>
Anonymous
July 13, 2004 8:30:19 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

The following are quite good in terms of guidance (for different purposes):

http://www.microsoft.com/technet/prodtechnol/windows200...

http://www.microsoft.com/downloads/details.aspx?FamilyI...

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:h1AIc.62169$a24.33684@attbi_s03...
> Keep in mind there are two parts to Group Policy - computer and user and
> that they
> need to reside in the container where the policy is applied. Also for
> domain users,
> password/account policy can only be applied at the domain level. OU policy
> that has
> "defined" settings will override the same settings defined at the domain
> level. If
> there is a setting defined at the domain level and not at the OU level,
> the setting
> will still apply to a user/computer in the OU in a default installation.
>
> You may want to consider setting global polices that you want to apply to
> everyone at
> the domain level and then use your three OU's and name them something
> appropriate
> that distinguishes each by a role that applies to your office -
> employees/managers/admins etc. or sales/admin/production etc. --- Steve
>
> http://www.microsoft.com/windows2000/techinfo/planning/...
> http://www.microsoft.com/resources/documentation/window...
>
> "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
>> Hi there,
>>
>> I'm about to start applying Group Policies to our network (1 server and 8
>> users) as it's currently an open system that's facing a lot of abuse.
>>
>> However, I'm looking for some ideas on managing this, and in particular,
>> how
>> I should be arranging the OU's, being just a single small office.
>>
>> I've thought about having an OU that had global policies, then have three
>> separate OU's that contained Level 1, 2 and 3 polices of differing
>> degrees
>> of group policies (low, medium, high). But if I do this, I'm finding
>> that
>> it's difficult to remember what each Level contains, and it's getting
>> quite
>> messy.
>>
>> Are there any websites that show some good practice and organisation for
>> this?
>>
>> Thanks for any help, it's appreciated.
>>
>> Regards,
>>
>> Stephen
>>
>>
>
>
Related resources
Anonymous
July 14, 2004 1:40:34 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for the reply and advice Steven. At the moment, I've disabled the
computer parts of the group policies because I'm only specifying user
policies, and I read in a book that this helps to speed up the application
of these policies when the user logs on.

When I set OU's such as Level 1, 2, & 3, they are basically the same as
Employees, Managers, Admins; it's just that I'm naming them differently.
What I'd like to do is to set up a level 1 policy (low restriction), then
copy this policy to a brand new policy in level 2 - I could then have a
starting point to go on from, rather than enforce everything I'd done in
level 1 first, then add my next restrictions in level 2.

At the moment, my active directory of users and computers is like this:

mycompany (domain, and contains the unedited default domain policy)
> MyCompanyPolicies (OU containing my global policies)
> Level 1 (low restrictions)
> Level 2 (medium restrictions)
> Level 3 (high restrictions)

I assume that I'm on the right track with this (?), but will keep reading
the links and other resources that I find.

Thanks,

Ste


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:h1AIc.62169$a24.33684@attbi_s03...
| Keep in mind there are two parts to Group Policy - computer and user and
that they
| need to reside in the container where the policy is applied. Also for
domain users,
| password/account policy can only be applied at the domain level. OU policy
that has
| "defined" settings will override the same settings defined at the domain
level. If
| there is a setting defined at the domain level and not at the OU level,
the setting
| will still apply to a user/computer in the OU in a default installation.
|
| You may want to consider setting global polices that you want to apply to
everyone at
| the domain level and then use your three OU's and name them something
appropriate
| that distinguishes each by a role that applies to your office -
| employees/managers/admins etc. or sales/admin/production etc. --- Steve
|
|
http://www.microsoft.com/windows2000/techinfo/planning/...
|
http://www.microsoft.com/resources/documentation/window...
|
| "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
| > Hi there,
| >
| > I'm about to start applying Group Policies to our network (1 server and
8
| > users) as it's currently an open system that's facing a lot of abuse.
| >
| > However, I'm looking for some ideas on managing this, and in particular,
how
| > I should be arranging the OU's, being just a single small office.
| >
| > I've thought about having an OU that had global policies, then have
three
| > separate OU's that contained Level 1, 2 and 3 polices of differing
degrees
| > of group policies (low, medium, high). But if I do this, I'm finding
that
| > it's difficult to remember what each Level contains, and it's getting
quite
| > messy.
| >
| > Are there any websites that show some good practice and organisation for
| > this?
| >
| > Thanks for any help, it's appreciated.
| >
| > Regards,
| >
| > Stephen
| >
| >
|
|
Anonymous
July 14, 2004 1:40:35 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Sounds like you have a grasp of things. When you create a Group Policy [GPO] you can
"link" it to more than one container/OU. The highest GPO takes precedence with
defined settings. You could either create two sub OU's within your level 1 OU and
simply create the GPO you want for each sub OU and put users into the appropriate OU
and Group Policy would flow down through the sub OU's. Or you could have three OU's
and then have the low restriction policy level linked to each OU with additional GPO
for second level OU and all three GPO's linked the third level OU with high
restrictions with the OU specific to that OU at the top of the list. --- Steve


"ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
news:2lj0itFcojrcU2@uni-berlin.de...
> Thanks for the reply and advice Steven. At the moment, I've disabled the
> computer parts of the group policies because I'm only specifying user
> policies, and I read in a book that this helps to speed up the application
> of these policies when the user logs on.
>
> When I set OU's such as Level 1, 2, & 3, they are basically the same as
> Employees, Managers, Admins; it's just that I'm naming them differently.
> What I'd like to do is to set up a level 1 policy (low restriction), then
> copy this policy to a brand new policy in level 2 - I could then have a
> starting point to go on from, rather than enforce everything I'd done in
> level 1 first, then add my next restrictions in level 2.
>
> At the moment, my active directory of users and computers is like this:
>
> mycompany (domain, and contains the unedited default domain policy)
> > MyCompanyPolicies (OU containing my global policies)
> > Level 1 (low restrictions)
> > Level 2 (medium restrictions)
> > Level 3 (high restrictions)
>
> I assume that I'm on the right track with this (?), but will keep reading
> the links and other resources that I find.
>
> Thanks,
>
> Ste
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:h1AIc.62169$a24.33684@attbi_s03...
> | Keep in mind there are two parts to Group Policy - computer and user and
> that they
> | need to reside in the container where the policy is applied. Also for
> domain users,
> | password/account policy can only be applied at the domain level. OU policy
> that has
> | "defined" settings will override the same settings defined at the domain
> level. If
> | there is a setting defined at the domain level and not at the OU level,
> the setting
> | will still apply to a user/computer in the OU in a default installation.
> |
> | You may want to consider setting global polices that you want to apply to
> everyone at
> | the domain level and then use your three OU's and name them something
> appropriate
> | that distinguishes each by a role that applies to your office -
> | employees/managers/admins etc. or sales/admin/production etc. --- Steve
> |
> |
> http://www.microsoft.com/windows2000/techinfo/planning/...
> |
>
http://www.microsoft.com/resources/documentation/window...
> |
> | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
> | > Hi there,
> | >
> | > I'm about to start applying Group Policies to our network (1 server and
> 8
> | > users) as it's currently an open system that's facing a lot of abuse.
> | >
> | > However, I'm looking for some ideas on managing this, and in particular,
> how
> | > I should be arranging the OU's, being just a single small office.
> | >
> | > I've thought about having an OU that had global policies, then have
> three
> | > separate OU's that contained Level 1, 2 and 3 polices of differing
> degrees
> | > of group policies (low, medium, high). But if I do this, I'm finding
> that
> | > it's difficult to remember what each Level contains, and it's getting
> quite
> | > messy.
> | >
> | > Are there any websites that show some good practice and organisation for
> | > this?
> | >
> | > Thanks for any help, it's appreciated.
> | >
> | > Regards,
> | >
> | > Stephen
> | >
> | >
> |
> |
>
>
Anonymous
July 14, 2004 1:43:00 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for the furthe links Mark, I will check these out.

Ste


"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:u9BqeLKaEHA.2488@tk2msftngp13.phx.gbl...
| Hi
|
| The following are quite good in terms of guidance (for different
purposes):
|
|
http://www.microsoft.com/technet/prodtechnol/windows200...
|
|
http://www.microsoft.com/downloads/details.aspx?FamilyI...
|
| Kind regards
| --
| Mark Renoden [MSFT]
| Windows Platform Support Team
| Email: markreno@online.microsoft.com
|
| Please note you'll need to strip ".online" from my email address to email
| me; I'll post a response back to the group.
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
| "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
| news:h1AIc.62169$a24.33684@attbi_s03...
| > Keep in mind there are two parts to Group Policy - computer and user and
| > that they
| > need to reside in the container where the policy is applied. Also for
| > domain users,
| > password/account policy can only be applied at the domain level. OU
policy
| > that has
| > "defined" settings will override the same settings defined at the domain
| > level. If
| > there is a setting defined at the domain level and not at the OU level,
| > the setting
| > will still apply to a user/computer in the OU in a default installation.
| >
| > You may want to consider setting global polices that you want to apply
to
| > everyone at
| > the domain level and then use your three OU's and name them something
| > appropriate
| > that distinguishes each by a role that applies to your office -
| > employees/managers/admins etc. or sales/admin/production etc. --- Steve
| >
| >
http://www.microsoft.com/windows2000/techinfo/planning/...
| >
http://www.microsoft.com/resources/documentation/window...
| >
| > "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| > news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
| >> Hi there,
| >>
| >> I'm about to start applying Group Policies to our network (1 server and
8
| >> users) as it's currently an open system that's facing a lot of abuse.
| >>
| >> However, I'm looking for some ideas on managing this, and in
particular,
| >> how
| >> I should be arranging the OU's, being just a single small office.
| >>
| >> I've thought about having an OU that had global policies, then have
three
| >> separate OU's that contained Level 1, 2 and 3 polices of differing
| >> degrees
| >> of group policies (low, medium, high). But if I do this, I'm finding
| >> that
| >> it's difficult to remember what each Level contains, and it's getting
| >> quite
| >> messy.
| >>
| >> Are there any websites that show some good practice and organisation
for
| >> this?
| >>
| >> Thanks for any help, it's appreciated.
| >>
| >> Regards,
| >>
| >> Stephen
| >>
| >>
| >
| >
|
|
Anonymous
July 15, 2004 2:23:14 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for that again Steve, and I'll take note of your two approaches.
I've only added some basic global policies at the moment, but will start to
add more on a development PC using a test user account. The overall aim is
to only let people do and use what they need for the job. Hopefully, the
days of getting paid to chat on Yahoo Messenger all day are over... ;-)

Thanks,

Ste


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:ViYIc.46653$WX.6481@attbi_s51...
| Sounds like you have a grasp of things. When you create a Group Policy
[GPO] you can
| "link" it to more than one container/OU. The highest GPO takes precedence
with
| defined settings. You could either create two sub OU's within your level 1
OU and
| simply create the GPO you want for each sub OU and put users into the
appropriate OU
| and Group Policy would flow down through the sub OU's. Or you could have
three OU's
| and then have the low restriction policy level linked to each OU with
additional GPO
| for second level OU and all three GPO's linked the third level OU with
high
| restrictions with the OU specific to that OU at the top of the list. ---
Steve
|
|
| "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| news:2lj0itFcojrcU2@uni-berlin.de...
| > Thanks for the reply and advice Steven. At the moment, I've disabled
the
| > computer parts of the group policies because I'm only specifying user
| > policies, and I read in a book that this helps to speed up the
application
| > of these policies when the user logs on.
| >
| > When I set OU's such as Level 1, 2, & 3, they are basically the same as
| > Employees, Managers, Admins; it's just that I'm naming them differently.
| > What I'd like to do is to set up a level 1 policy (low restriction),
then
| > copy this policy to a brand new policy in level 2 - I could then have a
| > starting point to go on from, rather than enforce everything I'd done in
| > level 1 first, then add my next restrictions in level 2.
| >
| > At the moment, my active directory of users and computers is like this:
| >
| > mycompany (domain, and contains the unedited default domain policy)
| > > MyCompanyPolicies (OU containing my global policies)
| > > Level 1 (low restrictions)
| > > Level 2 (medium restrictions)
| > > Level 3 (high restrictions)
| >
| > I assume that I'm on the right track with this (?), but will keep
reading
| > the links and other resources that I find.
| >
| > Thanks,
| >
| > Ste
| >
| >
| > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
| > news:h1AIc.62169$a24.33684@attbi_s03...
| > | Keep in mind there are two parts to Group Policy - computer and user
and
| > that they
| > | need to reside in the container where the policy is applied. Also for
| > domain users,
| > | password/account policy can only be applied at the domain level. OU
policy
| > that has
| > | "defined" settings will override the same settings defined at the
domain
| > level. If
| > | there is a setting defined at the domain level and not at the OU
level,
| > the setting
| > | will still apply to a user/computer in the OU in a default
installation.
| > |
| > | You may want to consider setting global polices that you want to apply
to
| > everyone at
| > | the domain level and then use your three OU's and name them something
| > appropriate
| > | that distinguishes each by a role that applies to your office -
| > | employees/managers/admins etc. or sales/admin/production etc. ---
Steve
| > |
| > |
| >
http://www.microsoft.com/windows2000/techinfo/planning/...
| > |
| >
|
http://www.microsoft.com/resources/documentation/window...
| > |
| > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
| > | > Hi there,
| > | >
| > | > I'm about to start applying Group Policies to our network (1 server
and
| > 8
| > | > users) as it's currently an open system that's facing a lot of
abuse.
| > | >
| > | > However, I'm looking for some ideas on managing this, and in
particular,
| > how
| > | > I should be arranging the OU's, being just a single small office.
| > | >
| > | > I've thought about having an OU that had global policies, then have
| > three
| > | > separate OU's that contained Level 1, 2 and 3 polices of differing
| > degrees
| > | > of group policies (low, medium, high). But if I do this, I'm
finding
| > that
| > | > it's difficult to remember what each Level contains, and it's
getting
| > quite
| > | > messy.
| > | >
| > | > Are there any websites that show some good practice and organisation
for
| > | > this?
| > | >
| > | > Thanks for any help, it's appreciated.
| > | >
| > | > Regards,
| > | >
| > | > Stephen
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Anonymous
July 15, 2004 2:23:15 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Sounds good. Keep in mind that your firewall configuration can also be a major
contributor to users not using unauthorized internet applications. Either try to use
a default block all outbound access rule and then create the exceptions for
authorized traffic. If your firewall can not do that, consider getting another one as
they have really dropped in price and $350 can get you a good SOHO unit. Otherwise
see if your existing one can at least block some outbound traffic - even the $80
routers from Neatger, Linksys, etc can do a pretty good job of that these days. Good
luck. --- Steve


"ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
news:2llmf7Feh8ncU1@uni-berlin.de...
> Thanks for that again Steve, and I'll take note of your two approaches.
> I've only added some basic global policies at the moment, but will start to
> add more on a development PC using a test user account. The overall aim is
> to only let people do and use what they need for the job. Hopefully, the
> days of getting paid to chat on Yahoo Messenger all day are over... ;-)
>
> Thanks,
>
> Ste
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:ViYIc.46653$WX.6481@attbi_s51...
> | Sounds like you have a grasp of things. When you create a Group Policy
> [GPO] you can
> | "link" it to more than one container/OU. The highest GPO takes precedence
> with
> | defined settings. You could either create two sub OU's within your level 1
> OU and
> | simply create the GPO you want for each sub OU and put users into the
> appropriate OU
> | and Group Policy would flow down through the sub OU's. Or you could have
> three OU's
> | and then have the low restriction policy level linked to each OU with
> additional GPO
> | for second level OU and all three GPO's linked the third level OU with
> high
> | restrictions with the OU specific to that OU at the top of the list. ---
> Steve
> |
> |
> | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | news:2lj0itFcojrcU2@uni-berlin.de...
> | > Thanks for the reply and advice Steven. At the moment, I've disabled
> the
> | > computer parts of the group policies because I'm only specifying user
> | > policies, and I read in a book that this helps to speed up the
> application
> | > of these policies when the user logs on.
> | >
> | > When I set OU's such as Level 1, 2, & 3, they are basically the same as
> | > Employees, Managers, Admins; it's just that I'm naming them differently.
> | > What I'd like to do is to set up a level 1 policy (low restriction),
> then
> | > copy this policy to a brand new policy in level 2 - I could then have a
> | > starting point to go on from, rather than enforce everything I'd done in
> | > level 1 first, then add my next restrictions in level 2.
> | >
> | > At the moment, my active directory of users and computers is like this:
> | >
> | > mycompany (domain, and contains the unedited default domain policy)
> | > > MyCompanyPolicies (OU containing my global policies)
> | > > Level 1 (low restrictions)
> | > > Level 2 (medium restrictions)
> | > > Level 3 (high restrictions)
> | >
> | > I assume that I'm on the right track with this (?), but will keep
> reading
> | > the links and other resources that I find.
> | >
> | > Thanks,
> | >
> | > Ste
> | >
> | >
> | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> | > news:h1AIc.62169$a24.33684@attbi_s03...
> | > | Keep in mind there are two parts to Group Policy - computer and user
> and
> | > that they
> | > | need to reside in the container where the policy is applied. Also for
> | > domain users,
> | > | password/account policy can only be applied at the domain level. OU
> policy
> | > that has
> | > | "defined" settings will override the same settings defined at the
> domain
> | > level. If
> | > | there is a setting defined at the domain level and not at the OU
> level,
> | > the setting
> | > | will still apply to a user/computer in the OU in a default
> installation.
> | > |
> | > | You may want to consider setting global polices that you want to apply
> to
> | > everyone at
> | > | the domain level and then use your three OU's and name them something
> | > appropriate
> | > | that distinguishes each by a role that applies to your office -
> | > | employees/managers/admins etc. or sales/admin/production etc. ---
> Steve
> | > |
> | > |
> | >
> http://www.microsoft.com/windows2000/techinfo/planning/...
> | > |
> | >
> |
>
http://www.microsoft.com/resources/documentation/window...
> | > |
> | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
> | > | > Hi there,
> | > | >
> | > | > I'm about to start applying Group Policies to our network (1 server
> and
> | > 8
> | > | > users) as it's currently an open system that's facing a lot of
> abuse.
> | > | >
> | > | > However, I'm looking for some ideas on managing this, and in
> particular,
> | > how
> | > | > I should be arranging the OU's, being just a single small office.
> | > | >
> | > | > I've thought about having an OU that had global policies, then have
> | > three
> | > | > separate OU's that contained Level 1, 2 and 3 polices of differing
> | > degrees
> | > | > of group policies (low, medium, high). But if I do this, I'm
> finding
> | > that
> | > | > it's difficult to remember what each Level contains, and it's
> getting
> | > quite
> | > | > messy.
> | > | >
> | > | > Are there any websites that show some good practice and organisation
> for
> | > | > this?
> | > | >
> | > | > Thanks for any help, it's appreciated.
> | > | >
> | > | > Regards,
> | > | >
> | > | > Stephen
> | > | >
> | > | >
> | > |
> | > |
> | >
> | >
> |
> |
>
>
Anonymous
July 18, 2004 4:34:54 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Steven. We're using Microsoft ISA Server with Small Business Server
2000, so there's definitely plenty of rules that we can implement Though
this might be a bit beyond me so we might have to call out IT consultants.
The problem is that as we're a small charity, we've got a very limited
budget, so that's why I try and do most things myself - but anything to
tricky, and I'll make that phone call. :-)

I did create some reports in ISA, but they don't seem to show user internet
activity - I believe the reason for this is because the default gateway for
each user is the ADSL router's IP address, rather than the server itself.
Not sure how to change this though, but it's probably a post for the ISA
group! ;-)

Thanks again,

Ste


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:p fiJc.74944$JR4.26287@attbi_s54...
| Sounds good. Keep in mind that your firewall configuration can also be a
major
| contributor to users not using unauthorized internet applications. Either
try to use
| a default block all outbound access rule and then create the exceptions
for
| authorized traffic. If your firewall can not do that, consider getting
another one as
| they have really dropped in price and $350 can get you a good SOHO unit.
Otherwise
| see if your existing one can at least block some outbound traffic - even
the $80
| routers from Neatger, Linksys, etc can do a pretty good job of that these
days. Good
| luck. --- Steve
|
|
| "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| news:2llmf7Feh8ncU1@uni-berlin.de...
| > Thanks for that again Steve, and I'll take note of your two approaches.
| > I've only added some basic global policies at the moment, but will start
to
| > add more on a development PC using a test user account. The overall aim
is
| > to only let people do and use what they need for the job. Hopefully,
the
| > days of getting paid to chat on Yahoo Messenger all day are over... ;-)
| >
| > Thanks,
| >
| > Ste
| >
| >
| > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
| > news:ViYIc.46653$WX.6481@attbi_s51...
| > | Sounds like you have a grasp of things. When you create a Group Policy
| > [GPO] you can
| > | "link" it to more than one container/OU. The highest GPO takes
precedence
| > with
| > | defined settings. You could either create two sub OU's within your
level 1
| > OU and
| > | simply create the GPO you want for each sub OU and put users into the
| > appropriate OU
| > | and Group Policy would flow down through the sub OU's. Or you could
have
| > three OU's
| > | and then have the low restriction policy level linked to each OU with
| > additional GPO
| > | for second level OU and all three GPO's linked the third level OU with
| > high
| > | restrictions with the OU specific to that OU at the top of the
st. ---
| > Steve
| > |
| > |
| > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| > | news:2lj0itFcojrcU2@uni-berlin.de...
| > | > Thanks for the reply and advice Steven. At the moment, I've
disabled
| > the
| > | > computer parts of the group policies because I'm only specifying
user
| > | > policies, and I read in a book that this helps to speed up the
| > application
| > | > of these policies when the user logs on.
| > | >
| > | > When I set OU's such as Level 1, 2, & 3, they are basically the same
as
| > | > Employees, Managers, Admins; it's just that I'm naming them
differently.
| > | > What I'd like to do is to set up a level 1 policy (low restriction),
| > then
| > | > copy this policy to a brand new policy in level 2 - I could then
have a
| > | > starting point to go on from, rather than enforce everything I'd
done in
| > | > level 1 first, then add my next restrictions in level 2.
| > | >
| > | > At the moment, my active directory of users and computers is like
this:
| > | >
| > | > mycompany (domain, and contains the unedited default domain policy)
| > | > > MyCompanyPolicies (OU containing my global policies)
| > | > > Level 1 (low restrictions)
| > | > > Level 2 (medium restrictions)
| > | > > Level 3 (high restrictions)
| > | >
| > | > I assume that I'm on the right track with this (?), but will keep
| > reading
| > | > the links and other resources that I find.
| > | >
| > | > Thanks,
| > | >
| > | > Ste
| > | >
| > | >
| > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
message
| > | > news:h1AIc.62169$a24.33684@attbi_s03...
| > | > | Keep in mind there are two parts to Group Policy - computer and
user
| > and
| > | > that they
| > | > | need to reside in the container where the policy is applied. Also
for
| > | > domain users,
| > | > | password/account policy can only be applied at the domain level.
OU
| > policy
| > | > that has
| > | > | "defined" settings will override the same settings defined at the
| > domain
| > | > level. If
| > | > | there is a setting defined at the domain level and not at the OU
| > level,
| > | > the setting
| > | > | will still apply to a user/computer in the OU in a default
| > installation.
| > | > |
| > | > | You may want to consider setting global polices that you want to
apply
| > to
| > | > everyone at
| > | > | the domain level and then use your three OU's and name them
something
| > | > appropriate
| > | > | that distinguishes each by a role that applies to your office -
| > | > | employees/managers/admins etc. or sales/admin/production etc. ---
| > Steve
| > | > |
| > | > |
| > | >
| >
http://www.microsoft.com/windows2000/techinfo/planning/...
| > | > |
| > | >
| > |
| >
|
http://www.microsoft.com/resources/documentation/window...
| > | > |
| > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
| > | > | > Hi there,
| > | > | >
| > | > | > I'm about to start applying Group Policies to our network (1
server
| > and
| > | > 8
| > | > | > users) as it's currently an open system that's facing a lot of
| > abuse.
| > | > | >
| > | > | > However, I'm looking for some ideas on managing this, and in
| > particular,
| > | > how
| > | > | > I should be arranging the OU's, being just a single small
office.
| > | > | >
| > | > | > I've thought about having an OU that had global policies, then
have
| > | > three
| > | > | > separate OU's that contained Level 1, 2 and 3 polices of
differing
| > | > degrees
| > | > | > of group policies (low, medium, high). But if I do this, I'm
| > finding
| > | > that
| > | > | > it's difficult to remember what each Level contains, and it's
| > getting
| > | > quite
| > | > | > messy.
| > | > | >
| > | > | > Are there any websites that show some good practice and
organisation
| > for
| > | > | > this?
| > | > | >
| > | > | > Thanks for any help, it's appreciated.
| > | > | >
| > | > | > Regards,
| > | > | >
| > | > | > Stephen
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
Anonymous
July 18, 2004 8:33:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

There are some ISA newsgroups that would be very helpful but basically the clients on
the network need to point to the ISA server internal network address as their default
gateway and then the clients will be subject to rules on the ISA server. The link
below is a great resource on ISA. Good luck. --- Steve

http://isaserver.org/articles_tutorials/configuration_g...

"ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
news:2lv5ghFh68mcU1@uni-berlin.de...
> Thanks Steven. We're using Microsoft ISA Server with Small Business Server
> 2000, so there's definitely plenty of rules that we can implement Though
> this might be a bit beyond me so we might have to call out IT consultants.
> The problem is that as we're a small charity, we've got a very limited
> budget, so that's why I try and do most things myself - but anything to
> tricky, and I'll make that phone call. :-)
>
> I did create some reports in ISA, but they don't seem to show user internet
> activity - I believe the reason for this is because the default gateway for
> each user is the ADSL router's IP address, rather than the server itself.
> Not sure how to change this though, but it's probably a post for the ISA
> group! ;-)
>
> Thanks again,
>
> Ste
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:p fiJc.74944$JR4.26287@attbi_s54...
> | Sounds good. Keep in mind that your firewall configuration can also be a
> major
> | contributor to users not using unauthorized internet applications. Either
> try to use
> | a default block all outbound access rule and then create the exceptions
> for
> | authorized traffic. If your firewall can not do that, consider getting
> another one as
> | they have really dropped in price and $350 can get you a good SOHO unit.
> Otherwise
> | see if your existing one can at least block some outbound traffic - even
> the $80
> | routers from Neatger, Linksys, etc can do a pretty good job of that these
> days. Good
> | luck. --- Steve
> |
> |
> | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | news:2llmf7Feh8ncU1@uni-berlin.de...
> | > Thanks for that again Steve, and I'll take note of your two approaches.
> | > I've only added some basic global policies at the moment, but will start
> to
> | > add more on a development PC using a test user account. The overall aim
> is
> | > to only let people do and use what they need for the job. Hopefully,
> the
> | > days of getting paid to chat on Yahoo Messenger all day are over... ;-)
> | >
> | > Thanks,
> | >
> | > Ste
> | >
> | >
> | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> | > news:ViYIc.46653$WX.6481@attbi_s51...
> | > | Sounds like you have a grasp of things. When you create a Group Policy
> | > [GPO] you can
> | > | "link" it to more than one container/OU. The highest GPO takes
> precedence
> | > with
> | > | defined settings. You could either create two sub OU's within your
> level 1
> | > OU and
> | > | simply create the GPO you want for each sub OU and put users into the
> | > appropriate OU
> | > | and Group Policy would flow down through the sub OU's. Or you could
> have
> | > three OU's
> | > | and then have the low restriction policy level linked to each OU with
> | > additional GPO
> | > | for second level OU and all three GPO's linked the third level OU with
> | > high
> | > | restrictions with the OU specific to that OU at the top of the
> st. ---
> | > Steve
> | > |
> | > |
> | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | > | news:2lj0itFcojrcU2@uni-berlin.de...
> | > | > Thanks for the reply and advice Steven. At the moment, I've
> disabled
> | > the
> | > | > computer parts of the group policies because I'm only specifying
> user
> | > | > policies, and I read in a book that this helps to speed up the
> | > application
> | > | > of these policies when the user logs on.
> | > | >
> | > | > When I set OU's such as Level 1, 2, & 3, they are basically the same
> as
> | > | > Employees, Managers, Admins; it's just that I'm naming them
> differently.
> | > | > What I'd like to do is to set up a level 1 policy (low restriction),
> | > then
> | > | > copy this policy to a brand new policy in level 2 - I could then
> have a
> | > | > starting point to go on from, rather than enforce everything I'd
> done in
> | > | > level 1 first, then add my next restrictions in level 2.
> | > | >
> | > | > At the moment, my active directory of users and computers is like
> this:
> | > | >
> | > | > mycompany (domain, and contains the unedited default domain policy)
> | > | > > MyCompanyPolicies (OU containing my global policies)
> | > | > > Level 1 (low restrictions)
> | > | > > Level 2 (medium restrictions)
> | > | > > Level 3 (high restrictions)
> | > | >
> | > | > I assume that I'm on the right track with this (?), but will keep
> | > reading
> | > | > the links and other resources that I find.
> | > | >
> | > | > Thanks,
> | > | >
> | > | > Ste
> | > | >
> | > | >
> | > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
> message
> | > | > news:h1AIc.62169$a24.33684@attbi_s03...
> | > | > | Keep in mind there are two parts to Group Policy - computer and
> user
> | > and
> | > | > that they
> | > | > | need to reside in the container where the policy is applied. Also
> for
> | > | > domain users,
> | > | > | password/account policy can only be applied at the domain level.
> OU
> | > policy
> | > | > that has
> | > | > | "defined" settings will override the same settings defined at the
> | > domain
> | > | > level. If
> | > | > | there is a setting defined at the domain level and not at the OU
> | > level,
> | > | > the setting
> | > | > | will still apply to a user/computer in the OU in a default
> | > installation.
> | > | > |
> | > | > | You may want to consider setting global polices that you want to
> apply
> | > to
> | > | > everyone at
> | > | > | the domain level and then use your three OU's and name them
> something
> | > | > appropriate
> | > | > | that distinguishes each by a role that applies to your office -
> | > | > | employees/managers/admins etc. or sales/admin/production etc. ---
> | > Steve
> | > | > |
> | > | > |
> | > | >
> | >
> http://www.microsoft.com/windows2000/techinfo/planning/...
> | > | > |
> | > | >
> | > |
> | >
> |
>
http://www.microsoft.com/resources/documentation/window...
> | > | > |
> | > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
> | > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
> | > | > | > Hi there,
> | > | > | >
> | > | > | > I'm about to start applying Group Policies to our network (1
> server
> | > and
> | > | > 8
> | > | > | > users) as it's currently an open system that's facing a lot of
> | > abuse.
> | > | > | >
> | > | > | > However, I'm looking for some ideas on managing this, and in
> | > particular,
> | > | > how
> | > | > | > I should be arranging the OU's, being just a single small
> office.
> | > | > | >
> | > | > | > I've thought about having an OU that had global policies, then
> have
> | > | > three
> | > | > | > separate OU's that contained Level 1, 2 and 3 polices of
> differing
> | > | > degrees
> | > | > | > of group policies (low, medium, high). But if I do this, I'm
> | > finding
> | > | > that
> | > | > | > it's difficult to remember what each Level contains, and it's
> | > getting
> | > | > quite
> | > | > | > messy.
> | > | > | >
> | > | > | > Are there any websites that show some good practice and
> organisation
> | > for
> | > | > | > this?
> | > | > | >
> | > | > | > Thanks for any help, it's appreciated.
> | > | > | >
> | > | > | > Regards,
> | > | > | >
> | > | > | > Stephen
> | > | > | >
> | > | > | >
> | > | > |
> | > | > |
> | > | >
> | > | >
> | > |
> | > |
> | >
> | >
> |
> |
>
>
Anonymous
July 19, 2004 3:50:35 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks again for your help Steven, I'll take a look at those articles. I've
already subscribed to one of the ISA newsgroups, so reading through the
history of that group for questions and answers.

I'm sure I'll be posting back agian some time for more help on the group
policies - it's still in a test environment at the moment.

Thanks again, it's appreciated.

Ste


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:2DxKc.123828$XM6.29900@attbi_s53...
| There are some ISA newsgroups that would be very helpful but basically the
clients on
| the network need to point to the ISA server internal network address as
their default
| gateway and then the clients will be subject to rules on the ISA server.
The link
| below is a great resource on ISA. Good luck. --- Steve
|
| http://isaserver.org/articles_tutorials/configuration_g...
|
| "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| news:2lv5ghFh68mcU1@uni-berlin.de...
| > Thanks Steven. We're using Microsoft ISA Server with Small Business
Server
| > 2000, so there's definitely plenty of rules that we can implement
Though
| > this might be a bit beyond me so we might have to call out IT
consultants.
| > The problem is that as we're a small charity, we've got a very limited
| > budget, so that's why I try and do most things myself - but anything to
| > tricky, and I'll make that phone call. :-)
| >
| > I did create some reports in ISA, but they don't seem to show user
internet
| > activity - I believe the reason for this is because the default gateway
for
| > each user is the ADSL router's IP address, rather than the server
itself.
| > Not sure how to change this though, but it's probably a post for the ISA
| > group! ;-)
| >
| > Thanks again,
| >
| > Ste
| >
| >
| > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
| > news:p fiJc.74944$JR4.26287@attbi_s54...
| > | Sounds good. Keep in mind that your firewall configuration can also be
a
| > major
| > | contributor to users not using unauthorized internet applications.
Either
| > try to use
| > | a default block all outbound access rule and then create the
exceptions
| > for
| > | authorized traffic. If your firewall can not do that, consider getting
| > another one as
| > | they have really dropped in price and $350 can get you a good SOHO
unit.
| > Otherwise
| > | see if your existing one can at least block some outbound traffic -
even
| > the $80
| > | routers from Neatger, Linksys, etc can do a pretty good job of that
these
| > days. Good
| > | luck. --- Steve
| > |
| > |
| > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| > | news:2llmf7Feh8ncU1@uni-berlin.de...
| > | > Thanks for that again Steve, and I'll take note of your two
approaches.
| > | > I've only added some basic global policies at the moment, but will
start
| > to
| > | > add more on a development PC using a test user account. The overall
aim
| > is
| > | > to only let people do and use what they need for the job.
Hopefully,
| > the
| > | > days of getting paid to chat on Yahoo Messenger all day are over...
;-)
| > | >
| > | > Thanks,
| > | >
| > | > Ste
| > | >
| > | >
| > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
message
| > | > news:ViYIc.46653$WX.6481@attbi_s51...
| > | > | Sounds like you have a grasp of things. When you create a Group
Policy
| > | > [GPO] you can
| > | > | "link" it to more than one container/OU. The highest GPO takes
| > precedence
| > | > with
| > | > | defined settings. You could either create two sub OU's within your
| > level 1
| > | > OU and
| > | > | simply create the GPO you want for each sub OU and put users into
the
| > | > appropriate OU
| > | > | and Group Policy would flow down through the sub OU's. Or you
could
| > have
| > | > three OU's
| > | > | and then have the low restriction policy level linked to each OU
with
| > | > additional GPO
| > | > | for second level OU and all three GPO's linked the third level OU
with
| > | > high
| > | > | restrictions with the OU specific to that OU at the top of the
| > st. ---
| > | > Steve
| > | > |
| > | > |
| > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in message
| > | > | news:2lj0itFcojrcU2@uni-berlin.de...
| > | > | > Thanks for the reply and advice Steven. At the moment, I've
| > disabled
| > | > the
| > | > | > computer parts of the group policies because I'm only specifying
| > user
| > | > | > policies, and I read in a book that this helps to speed up the
| > | > application
| > | > | > of these policies when the user logs on.
| > | > | >
| > | > | > When I set OU's such as Level 1, 2, & 3, they are basically the
same
| > as
| > | > | > Employees, Managers, Admins; it's just that I'm naming them
| > differently.
| > | > | > What I'd like to do is to set up a level 1 policy (low
restriction),
| > | > then
| > | > | > copy this policy to a brand new policy in level 2 - I could then
| > have a
| > | > | > starting point to go on from, rather than enforce everything I'd
| > done in
| > | > | > level 1 first, then add my next restrictions in level 2.
| > | > | >
| > | > | > At the moment, my active directory of users and computers is
like
| > this:
| > | > | >
| > | > | > mycompany (domain, and contains the unedited default domain
policy)
| > | > | > > MyCompanyPolicies (OU containing my global policies)
| > | > | > > Level 1 (low restrictions)
| > | > | > > Level 2 (medium restrictions)
| > | > | > > Level 3 (high restrictions)
| > | > | >
| > | > | > I assume that I'm on the right track with this (?), but will
keep
| > | > reading
| > | > | > the links and other resources that I find.
| > | > | >
| > | > | > Thanks,
| > | > | >
| > | > | > Ste
| > | > | >
| > | > | >
| > | > | > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in
| > message
| > | > | > news:h1AIc.62169$a24.33684@attbi_s03...
| > | > | > | Keep in mind there are two parts to Group Policy - computer
and
| > user
| > | > and
| > | > | > that they
| > | > | > | need to reside in the container where the policy is applied.
Also
| > for
| > | > | > domain users,
| > | > | > | password/account policy can only be applied at the domain
level.
| > OU
| > | > policy
| > | > | > that has
| > | > | > | "defined" settings will override the same settings defined at
the
| > | > domain
| > | > | > level. If
| > | > | > | there is a setting defined at the domain level and not at the
OU
| > | > level,
| > | > | > the setting
| > | > | > | will still apply to a user/computer in the OU in a default
| > | > installation.
| > | > | > |
| > | > | > | You may want to consider setting global polices that you want
to
| > apply
| > | > to
| > | > | > everyone at
| > | > | > | the domain level and then use your three OU's and name them
| > something
| > | > | > appropriate
| > | > | > | that distinguishes each by a role that applies to your
office -
| > | > | > | employees/managers/admins etc. or sales/admin/production
etc. ---
| > | > Steve
| > | > | > |
| > | > | > |
| > | > | >
| > | >
| >
http://www.microsoft.com/windows2000/techinfo/planning/...
| > | > | > |
| > | > | >
| > | > |
| > | >
| > |
| >
|
http://www.microsoft.com/resources/documentation/window...
| > | > | > |
| > | > | > | "ste©" <ContactMeUsingTheContactForm@sm9.co.uk> wrote in
message
| > | > | > | news:40f287a1$0$6442$cc9e4d1f@news-text.dial.pipex.com...
| > | > | > | > Hi there,
| > | > | > | >
| > | > | > | > I'm about to start applying Group Policies to our network (1
| > server
| > | > and
| > | > | > 8
| > | > | > | > users) as it's currently an open system that's facing a lot
of
| > | > abuse.
| > | > | > | >
| > | > | > | > However, I'm looking for some ideas on managing this, and in
| > | > particular,
| > | > | > how
| > | > | > | > I should be arranging the OU's, being just a single small
| > office.
| > | > | > | >
| > | > | > | > I've thought about having an OU that had global policies,
then
| > have
| > | > | > three
| > | > | > | > separate OU's that contained Level 1, 2 and 3 polices of
| > differing
| > | > | > degrees
| > | > | > | > of group policies (low, medium, high). But if I do this,
I'm
| > | > finding
| > | > | > that
| > | > | > | > it's difficult to remember what each Level contains, and
it's
| > | > getting
| > | > | > quite
| > | > | > | > messy.
| > | > | > | >
| > | > | > | > Are there any websites that show some good practice and
| > organisation
| > | > for
| > | > | > | > this?
| > | > | > | >
| > | > | > | > Thanks for any help, it's appreciated.
| > | > | > | >
| > | > | > | > Regards,
| > | > | > | >
| > | > | > | > Stephen
| > | > | > | >
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
!