Announcement

Collapse
No announcement yet.

redesign of 2008r2 policies...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • redesign of 2008r2 policies...

    these days i dont maintain a singular network. i am a contract worker that manages networks on a per call basis, so my involvement with the setup of these pre-existing is nil.

    my latest project is for a small skool. they have a few servers: 2 DCs, a smoothwall (that i installed), a web/app/print server, and about 60 clients. the network has been piece-mealed and each tech has come and done what they thought was right...

    they have now contracted me to redefine their policies. they have policies that are not in use anymore, like when they transitioned from norton to kapersky and two office policies: one for 2003, one for 2010...

    so long story long, their GPMC looks crazy to me. i have managed larger networks (upwards of a thousand people and 4000 devices) and my 'group policy objects' screen never looked like this:



    so i am trying to not make a big stink and cause any problems with what is working (as it is FCAT time) while at the same time working on smoothing things out.

    and no, the last 4 techs are not available for questions or comments... and one of them loved some vb script so i need to 'dumb-it-down' for the scripturally challenged like myself.

    what i am thinking, is that i will create a new set of policies and assign them to a security group that only has test members, then when i have them set up correctly i redefine the scope to include the real users.

    i have read How to manually create Default Domain GPO and am thinking that i will apply the same theory to the new policy. instead of changing the GUID in the sysvol in the order presented in the kb, i would hold off till things are working and after verifying things work, then i would change the GUID...

    am i even on the right track? ive never been asked to undertake a project like this and needed some input from you guys.
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    Re: redesign of 2008r2 policies...

    Personally, I have tended to review what their requirements are to help define the GPOs.

    This would potentially lead to an OU re-structure and GPO re-configuration.

    The requirements would also determine the GPOs configured. For example, are there a mixture of XP, Windows7 and Windows 8 Clients? Furthermore, Windows 2003/2008/2008 R2 and 2012 servers?

    Typically, I have created a new OU structure and GPOs for the new Clients and gradually migrated the AD computer objects to the new structure.

    The new GPOs take advantage of GP preferences and the settings only applicable to a Windows 7 or Windows 2008 and higher OS.

    A review would then be carried out on their existing GPOs to also make recommendations. For example, reducing and ideally, eliminating any WMI filters. Typically, this is achieved by linking them directly to the relevant OU(s) or through security filtering.

    Furthermore, ensure that the Computer or User configuration area is disabled on the GPO as applicable.

    Also, should they be using scripts, these are generally migrated to GP preference settings.

    Comment


    • #3
      Re: redesign of 2008r2 policies...

      agreed. as im looking at the AD OU structure, it will be necessary to do just as you say and create a new OU and migrate things to it as things begin to take shape.

      being that i dont understand vb (very well) i would like to get away from it. some of the former policies contain scripts that are competing with changes i have made. they had an old ISA proxy and the proxy settings were managed with a vbs script in the GPO, so the wpad.dat file i set up was useless until i found that little portion of the policy... just things like that.

      prior to me being here, this was a mixed client enviro. i have gotten everything to windows 7 pro, and all the servers are 2008R2... which is another reason that the policies are not working right. there was no adjustment when 7 was released here and the majority of the policies were assigned to XP clients... but everything matches now.

      thanks for helping me think this over. i appreciate your time and input, karma added!
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...

      Comment


      • #4
        Re: redesign of 2008r2 policies...

        Get an evaluation version of Netwrix or some thing similar that will help you monitor your changes and restore in case you made mistakes.

        Comment


        • #5
          Re: redesign of 2008r2 policies...

          one thing i am concerned about is the renaming of the policy and the GUID of the policy.

          im referring to the article i sited earlier (How to manually create Default Domain GPO...

          my question, is the GUID going to change if i change the name of the policy? currently i have created a new policy that is called 'Default Domain Policy NEW'. things are working correctly, so when i decide to implement the changes, should i get the GUID after i change the name or before? do i make sense?

          i just dont want to make the changes and then realize the GUID has changed since i renamed 'Default Domain Policy NEW' to 'Default Domain Policy'...

          if it does, it will change the time i implement the changes so that the effects are system wide and not interuptive to operation as per usual.

          Originally posted by Zegedeon
          Get an evaluation version of Netwrix or some thing similar that will help you monitor your changes and restore in case you made mistakes.
          i appreciate your input, but this can all be managed thru GPO. i tend to lean on the windows side in an AD enviro and rely on the (more than sufficient) tools that are already given. if i rely on any third party, then i have to learn their syntax and programs. i have backups of all the GPOs, so i dont need to worry about deleting anything on accident.

          thanks again,
          James
          its easier to beg forgiveness than ask permission.
          Give karma where karma is due...

          Comment


          • #6
            Re: redesign of 2008r2 policies...

            Originally posted by James Haynes View Post
            one thing i am concerned about is the renaming of the policy and the GUID of the policy.

            my question, is the GUID going to change if i change the name of the policy?
            thanks again,
            James


            No. The GUID will remain constant. When you rename a policy, you are merely updating an attribute which is human readable. The GUID persists.
            Rules of life:
            1. Never do anything that requires thinking after 2:30 PM
            2. Simplicity is godliness
            3. Scale with extreme prejudice


            I occasionally post using a savantphone, so please don't laugh too hard at the typos...

            Comment


            • #7
              Re: redesign of 2008r2 policies...

              If you're worried about GUIDs, etc., with the Def Domain policy, try repairing it. *-Use the Report option from the right-click menu to document what's been set so far
              *-Run DCGPOFix.exe (This resets the Def domain policy to out-of-the-box default values.) (Can reset either/both def domain and/or def DC policies--research!).
              *-Set only the password, account lockout and Kerberos settings
              *-Finally, add a second, new policy at the domain level for only those settings you want to apply domain-wide.
              *-Redefine other policies further down, as needed.

              If you create the new domain-level policy first, but don't link it, nothing happens. But at least it's there to link to, immediately after you reset the def policy.

              This is in-line with MS Press' Guide to GP, originally released alongside Server 2K3. While Server 2K8 and up are running now, the basics of how to 'care for' and set up an effective GP structure are the same, albeit with new bells & whistles.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment


              • #8
                Re: redesign of 2008r2 policies...

                As already mentioned, GUID will stay the same and I believe if you look at this lcoation, you'll see the GUID names.

                \\AD Domain Name\sysvol\AD Domain Name\Policies

                Comment

                Working...
                X