I'm green when it comes to GPOs, advice please.

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi gents,

I've been using NT for a long, long time, but only marginally touched on
group policies in NT 4.0, I see in 2003 they've come a long way. I am
looking for a good method of setting up a GPO presumably using filtering to
apply the rules against my users. Our domain is running in 2003 native
mode, I have set up no OUs in the domain, rather just using existing
containers (users,computers, builtin etc.).

We have our Default Domain Policy GPO and I've setup another one called
IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with 127.0.0.1
to eliminate internet access (and blocks tab access). I have filtered
security for the gpo by removing authenticated users and created a domain
global group called IEProxyUsers and add users into that group who should
not have access to the internet (80/100 staff). The for the policy
security, I check Read and Apply Policy settings for that group.

Is this sort of the norm or a screwball way of doing this - creating a
domain level gpo for this? (keeping in mind we're not running ISA server).
I just don't think breaking up users into OUs would really be of use to me.
Having said that, I am new to this and might just be missing part of the
larger picture.

Thx.

tsc
4 answers Last reply
More about green gpos advice please
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi

    Nah you've pretty much got it. You apply GPO's at the level that they need
    to be so that you minimise repetition. The alternative would be to create
    an OU and put all users who should receive these settings in that OU. Next
    you link the GPO to that OU and unlink it at the domain level. By doing it
    this way, you eliminate the need for filtering by security ... possibly
    easier to manage and track down issues should they arise.

    The good news is that you haven't mucked around with the Default Domain
    Policy which is generally a good thing.

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
    news:4187db52$1_1@news.nucleus.com...
    > Hi gents,
    >
    > I've been using NT for a long, long time, but only marginally touched on
    > group policies in NT 4.0, I see in 2003 they've come a long way. I am
    > looking for a good method of setting up a GPO presumably using filtering
    > to apply the rules against my users. Our domain is running in 2003 native
    > mode, I have set up no OUs in the domain, rather just using existing
    > containers (users,computers, builtin etc.).
    >
    > We have our Default Domain Policy GPO and I've setup another one called
    > IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with
    > 127.0.0.1 to eliminate internet access (and blocks tab access). I have
    > filtered security for the gpo by removing authenticated users and created
    > a domain global group called IEProxyUsers and add users into that group
    > who should not have access to the internet (80/100 staff). The for the
    > policy security, I check Read and Apply Policy settings for that group.
    >
    > Is this sort of the norm or a screwball way of doing this - creating a
    > domain level gpo for this? (keeping in mind we're not running ISA server).
    > I just don't think breaking up users into OUs would really be of use to
    > me. Having said that, I am new to this and might just be missing part of
    > the larger picture.
    >
    > Thx.
    >
    > tsc
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks Mark, if I could pick your brain on one last matter -- This GPO
    (ieproxygpo) only seems to be applied when the user logs on. I've waited
    well over the refresh interval and the IE proxy settings remain blank. I
    was under the impression this would automatically update with the new
    enforced settings within 120min and only folder redirection and software
    install polices required a logon.

    A lot of users here just lock their workstations for the night and it could
    be weeks before they reboot or log off for some reason. The specific
    setting I am trying to enforce is located at:

    Userconfig>WindowsSettings>InternetExploreMaint.>connection>Proxy Settings

    Then I also check:

    AdminTemplate>WindowsComponents>InternetExplorer "Disable Changing Proxy
    Settings" = Enabled

    I don't get why this isn't automatically updating the browser until log on.

    Thank you,

    tsc


    "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
    news:OLco0LSwEHA.4040@TK2MSFTNGP11.phx.gbl...
    > Hi
    >
    > Nah you've pretty much got it. You apply GPO's at the level that they
    > need
    > to be so that you minimise repetition. The alternative would be to create
    > an OU and put all users who should receive these settings in that OU.
    > Next
    > you link the GPO to that OU and unlink it at the domain level. By doing
    > it
    > this way, you eliminate the need for filtering by security ... possibly
    > easier to manage and track down issues should they arise.
    >
    -----------------
    >>
    >> We have our Default Domain Policy GPO and I've setup another one called
    >> IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with
    >> 127.0.0.1 to eliminate internet access (and blocks tab access). I have
    >> filtered security for the gpo by removing authenticated users and created
    >> a domain global group called IEProxyUsers and add users into that group
    >> who should not have access to the internet (80/100 staff). The for the
    >> policy security, I check Read and Apply Policy settings for that group.
    >>
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    N/M - they are being applied -- just the time interval is much longer than I
    thought I read it was. It seems to refresh approximately every 12 hours on
    the clients.

    "TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
    news:4188ea60_1@news.nucleus.com...
    > Thanks Mark, if I could pick your brain on one last matter -- This GPO
    > (ieproxygpo) only seems to be applied when the user logs on. I've waited
    > well over the refresh interval and the IE proxy settings remain blank. I
    > was under the impression this would automatically update with the new
    > enforced settings within 120min and only folder redirection and software
    > install polices required a logon.
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi

    The Internet Explorer maintenance policy ususally applies only when the
    policy has been edited or if it hasn't been applied before. To change this
    behaviour, refer to:

    306915 Internet Explorer Maintenance Group Policies Do Not Apply During
    http://support.microsoft.com/?id=306915

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email: markreno@online.microsoft.com

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
    news:418a4119_1@news.nucleus.com...
    > N/M - they are being applied -- just the time interval is much longer than
    > I thought I read it was. It seems to refresh approximately every 12
    > hours on the clients.
    >
    > "TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
    > news:4188ea60_1@news.nucleus.com...
    >> Thanks Mark, if I could pick your brain on one last matter -- This GPO
    >> (ieproxygpo) only seems to be applied when the user logs on. I've waited
    >> well over the refresh interval and the IE proxy settings remain blank. I
    >> was under the impression this would automatically update with the new
    >> enforced settings within 120min and only folder redirection and software
    >> install polices required a logon.
    >
    >
Ask a new question

Read More

Policy Domain Windows