I'm green when it comes to GPOs, advice please.

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi gents,

I've been using NT for a long, long time, but only marginally touched on
group policies in NT 4.0, I see in 2003 they've come a long way. I am
looking for a good method of setting up a GPO presumably using filtering to
apply the rules against my users. Our domain is running in 2003 native
mode, I have set up no OUs in the domain, rather just using existing
containers (users,computers, builtin etc.).

We have our Default Domain Policy GPO and I've setup another one called
IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with 127.0.0.1
to eliminate internet access (and blocks tab access). I have filtered
security for the gpo by removing authenticated users and created a domain
global group called IEProxyUsers and add users into that group who should
not have access to the internet (80/100 staff). The for the policy
security, I check Read and Apply Policy settings for that group.

Is this sort of the norm or a screwball way of doing this - creating a
domain level gpo for this? (keeping in mind we're not running ISA server).
I just don't think breaking up users into OUs would really be of use to me.
Having said that, I am new to this and might just be missing part of the
larger picture.

Thx.

tsc

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

Nah you've pretty much got it. You apply GPO's at the level that they need
to be so that you minimise repetition. The alternative would be to create
an OU and put all users who should receive these settings in that OU. Next
you link the GPO to that OU and unlink it at the domain level. By doing it
this way, you eliminate the need for filtering by security ... possibly
easier to manage and track down issues should they arise.

The good news is that you haven't mucked around with the Default Domain
Policy which is generally a good thing.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
news:4187db52$1_1@news.nucleus.com...
> Hi gents,
>
> I've been using NT for a long, long time, but only marginally touched on
> group policies in NT 4.0, I see in 2003 they've come a long way. I am
> looking for a good method of setting up a GPO presumably using filtering
> to apply the rules against my users. Our domain is running in 2003 native
> mode, I have set up no OUs in the domain, rather just using existing
> containers (users,computers, builtin etc.).
>
> We have our Default Domain Policy GPO and I've setup another one called
> IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with
> 127.0.0.1 to eliminate internet access (and blocks tab access). I have
> filtered security for the gpo by removing authenticated users and created
> a domain global group called IEProxyUsers and add users into that group
> who should not have access to the internet (80/100 staff). The for the
> policy security, I check Read and Apply Policy settings for that group.
>
> Is this sort of the norm or a screwball way of doing this - creating a
> domain level gpo for this? (keeping in mind we're not running ISA server).
> I just don't think breaking up users into OUs would really be of use to
> me. Having said that, I am new to this and might just be missing part of
> the larger picture.
>
> Thx.
>
> tsc
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Mark, if I could pick your brain on one last matter -- This GPO
(ieproxygpo) only seems to be applied when the user logs on. I've waited
well over the refresh interval and the IE proxy settings remain blank. I
was under the impression this would automatically update with the new
enforced settings within 120min and only folder redirection and software
install polices required a logon.

A lot of users here just lock their workstations for the night and it could
be weeks before they reboot or log off for some reason. The specific
setting I am trying to enforce is located at:

Userconfig>WindowsSettings>InternetExploreMaint.>connection>Proxy Settings

Then I also check:

AdminTemplate>WindowsComponents>InternetExplorer "Disable Changing Proxy
Settings" = Enabled

I don't get why this isn't automatically updating the browser until log on.

Thank you,

tsc


"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:OLco0LSwEHA.4040@TK2MSFTNGP11.phx.gbl...
> Hi
>
> Nah you've pretty much got it. You apply GPO's at the level that they
> need
> to be so that you minimise repetition. The alternative would be to create
> an OU and put all users who should receive these settings in that OU.
> Next
> you link the GPO to that OU and unlink it at the domain level. By doing
> it
> this way, you eliminate the need for filtering by security ... possibly
> easier to manage and track down issues should they arise.
>
-----------------
>>
>> We have our Default Domain Policy GPO and I've setup another one called
>> IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with
>> 127.0.0.1 to eliminate internet access (and blocks tab access). I have
>> filtered security for the gpo by removing authenticated users and created
>> a domain global group called IEProxyUsers and add users into that group
>> who should not have access to the internet (80/100 staff). The for the
>> policy security, I check Read and Apply Policy settings for that group.
>>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

N/M - they are being applied -- just the time interval is much longer than I
thought I read it was. It seems to refresh approximately every 12 hours on
the clients.

"TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
news:4188ea60_1@news.nucleus.com...
> Thanks Mark, if I could pick your brain on one last matter -- This GPO
> (ieproxygpo) only seems to be applied when the user logs on. I've waited
> well over the refresh interval and the IE proxy settings remain blank. I
> was under the impression this would automatically update with the new
> enforced settings within 120min and only folder redirection and software
> install polices required a logon.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

The Internet Explorer maintenance policy ususally applies only when the
policy has been edited or if it hasn't been applied before. To change this
behaviour, refer to:

306915 Internet Explorer Maintenance Group Policies Do Not Apply During
http://support.microsoft.com/?id=306915

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
news:418a4119_1@news.nucleus.com...
> N/M - they are being applied -- just the time interval is much longer than
> I thought I read it was. It seems to refresh approximately every 12
> hours on the clients.
>
> "TheSingingCat" <meowmeowmeowmeow@meowmeowmeow.com> wrote in message
> news:4188ea60_1@news.nucleus.com...
>> Thanks Mark, if I could pick your brain on one last matter -- This GPO
>> (ieproxygpo) only seems to be applied when the user logs on. I've waited
>> well over the refresh interval and the IE proxy settings remain blank. I
>> was under the impression this would automatically update with the new
>> enforced settings within 120min and only folder redirection and software
>> install polices required a logon.
>
>