|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
I'd like to start a thread concerning the high level planning for Group
Policy deployment. In my particular situation I have been given the
responsibility for deploying Group Policy (and AD) at a high school. While
there is a blizzard of information about GP, it is all referential - what
does this do, what does it effect, etc. I'm looking for a level 200 or 300
discussion about the process.
For example - there are over 900 group policies in the W2k3 excel
spreadsheet reference. Trying to deploy all or most all at once is obviously
silly. There must be some kind of rational, phased process for deploying
these. Such a process, I would think, always, or nearly always, should be
begin with some particular subset of policies, ie, Internet Explorer or
Desktop or Restricted Software. Another subset would almost always be
second, and third, and so on.
I've never seen the process covered by any of the documentation provided by
Microsoft, except in the most general way (Design AD, Design OU's, Create the
test environment, etc.). This is not what I'm refering to.
Anyone have a step 1 though n for the policies themselves?
|
|
Edward-
I think that the MS common scenarios are a good place to start. Check them
out at
http://technet2.microsoft.com/windowsserver/en/library/7b33dcd6-0ad2-44e8-82f8-962425b6cf8e1033.mspx?mfr=true. I
think that the challenge is that there are so many policies and so many
different types of environments that it is very hard to generalize the
"ideal" starting point. But the common scenarios help, I think.
Let us know if you have any follow up questions.
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Simplify Group Policy Troubleshooting with the NEW GPExpert Troubleshooting
Pak 1.0 at http://www.sdmsoftware.com/products.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Edward" <Edward[ at ]discussions.microsoft.com> wrote in message
news:4F53B770-C8A2-4C24-B50E-2CF26C48A13D[ at ]microsoft.com...
[Quoted Text] > I'd like to start a thread concerning the high level planning for Group
> Policy deployment. In my particular situation I have been given the
> responsibility for deploying Group Policy (and AD) at a high school.
> While
> there is a blizzard of information about GP, it is all referential - what
> does this do, what does it effect, etc. I'm looking for a level 200 or
> 300
> discussion about the process.
>
> For example - there are over 900 group policies in the W2k3 excel
> spreadsheet reference. Trying to deploy all or most all at once is
> obviously
> silly. There must be some kind of rational, phased process for deploying
> these. Such a process, I would think, always, or nearly always, should be
> begin with some particular subset of policies, ie, Internet Explorer or
> Desktop or Restricted Software. Another subset would almost always be
> second, and third, and so on.
>
> I've never seen the process covered by any of the documentation provided
> by
> Microsoft, except in the most general way (Design AD, Design OU's, Create
> the
> test environment, etc.). This is not what I'm refering to.
>
> Anyone have a step 1 though n for the policies themselves?
|
|
I would respectfully disagree. The starting point document you mention is so
general as to be all but useless when confronted with an actual deployment.
As I said, 900 plus objects, in alphabetical order.... You assert that the
wide variety of circumstances are so completely different from one another as
to make it all but impossible to form a general process. My experience is
that the circumstances that confront a group policy deployment actually have
quite a bit in common, which one can see in the way the administrative
template objects are organized. In fact, that organization would certainly
qualify for the phased process I hope to explore here though their priority
is missing, and I think they are still too general. For example, I would
think that Desktop objects would best be deployed in a series of phases
rather than all at once.
The problem with the Common Scenarios is that they don't recognize the real
world process of GP deployment. As the number of applications on a client
rises the difficulty in tracking the effects of a change in a GP object also
rises. GP's must certainly be deployed in phases. The document you site
gives this topic short shrift. I'm calling for an indepth treatment of
phased deployement which would naturally suggest a priority, also missing
from the document you refer to. Of course, the section entitled "configuring
specific features" is anything but specific.
I wonder if you noticed some of the alternatives I mentioned higher up.
Perhaps the desktop objects would be the first place to start, or maybe the
network objects. I guess I'm partial to the Internet Explorer objects but I'm
anything but certain.
I wish you hadn't dismissed my request for contribution to this thread right
out of the box. If you don't care to participate or you wish to limit your
contribution to the document you referenced, fine, but please don't also kill
the thread with a comment like "it is very hard to generalize the "ideal"
starting point." Not very helpful and it may not even be correct.
|
|
Edward-
You shouldn't take my response as a dismissal. It was meant to be a starting
point. That is why I asked to follow up with questions. Its hard to tell
what point you are at in your investigations so I think that the common
scenarios show you the kinds of things that are possible. Given that, if its
too general, then I'm sure others will pipe in with some more specific
suggestions, which is definitely encouraged. I can tell you that the
priorities you are looking for are specific to the needs and requirements of
your own organization. For example, what's required for Financial Services
is completely different than what a High School needs, but here are some
high-level themes to get us started:
1. You're absolutely right about starting slow. Its imperative that you
don't try to deploy hundreds of settings across hundreds of GPOs at once,
for obvious reasons.
2. Have some kind of change management process in place from the get-go.
This includes the ability to back-out changes easily. This may be as simple
as using GPMC backup and restore or as complex as buying a 3rd party change
control product
3. Security settings typically rise to the top for many shops. I would lump
IE controls as well as things like user rights assignments, service security
and software restriction policy into this. There are some best practices
here at sites like SANS and NIST (e.g.
http://csrc.nist.gov/itsec/guidance_WinXP_Home.html).
4. Desktop Lockdowns (i.e. Admin. Templates) are usually the most
organizational-specific. But doing things like removing registry editor and
cmd shell access, or hiding drives are easily the ones I see the most. This
list gets long so the priority ends up being the things you have problems
with today. My rule of them with lockdown is only lockdown what you
absolutely have to (i.e. that is causing problems) vs. taking the approach
of locking down a lot because you think you should and then having to
respond to user complaints or troubleshoot why something isn't working well.
I think others will probably have some input here as well. Hopefully this is
a STARTING point :)
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Simplify Group Policy Troubleshooting with the NEW GPExpert Troubleshooting
Pak 1.0 at http://www.sdmsoftware.com/products.php
Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
"Edward" <Edward[ at ]discussions.microsoft.com> wrote in message
news:9F993271-7D10-4D12-8473-45CA178A78E5[ at ]microsoft.com...
[Quoted Text] >I would respectfully disagree. The starting point document you mention is
>so
> general as to be all but useless when confronted with an actual
> deployment.
> As I said, 900 plus objects, in alphabetical order.... You assert that the
> wide variety of circumstances are so completely different from one another
> as
> to make it all but impossible to form a general process. My experience is
> that the circumstances that confront a group policy deployment actually
> have
> quite a bit in common, which one can see in the way the administrative
> template objects are organized. In fact, that organization would
> certainly
> qualify for the phased process I hope to explore here though their
> priority
> is missing, and I think they are still too general. For example, I would
> think that Desktop objects would best be deployed in a series of phases
> rather than all at once.
>
> The problem with the Common Scenarios is that they don't recognize the
> real
> world process of GP deployment. As the number of applications on a client
> rises the difficulty in tracking the effects of a change in a GP object
> also
> rises. GP's must certainly be deployed in phases. The document you site
> gives this topic short shrift. I'm calling for an indepth treatment of
> phased deployement which would naturally suggest a priority, also missing
> from the document you refer to. Of course, the section entitled
> "configuring
> specific features" is anything but specific.
>
> I wonder if you noticed some of the alternatives I mentioned higher up.
> Perhaps the desktop objects would be the first place to start, or maybe
> the
> network objects. I guess I'm partial to the Internet Explorer objects but
> I'm
> anything but certain.
>
> I wish you hadn't dismissed my request for contribution to this thread
> right
> out of the box. If you don't care to participate or you wish to limit
> your
> contribution to the document you referenced, fine, but please don't also
> kill
> the thread with a comment like "it is very hard to generalize the "ideal"
> starting point." Not very helpful and it may not even be correct.
|
|
"Darren Mar-Elia" wrote:
[Quoted Text] > 2. Have some kind of change management process in place from the get-go.
> This includes the ability to back-out changes easily. This may be as simple
> as using GPMC backup and restore or as complex as buying a 3rd party change
> control product
I'm just now in the middle of installing Virtual Server as the test lab
platform for validating these policies prior to deployment. Boy, if there is
a better way to do this I'd like to know about it. If there are a set of
primary principles here, VS based test lab has to be at the top of the list.
Of course there are tricks to doing this right that I can see already
- Need to install all apps, service packs, at hotfixes on the virtual
machine to dup the production client.
Others?
|
|
Edward,
I get the impression that you are so-to-speak being blinded by the
trees and failing to view the forest from overlooks in the terrain.
GP usage aims to facilitate management of computers and of
users when using those computers.
So, first one needs to decide what aspects one wants to manage,
and rank these as to their importance. Think functionally. Do not
at this point think about what is available in the thousand and a half
odd some policies that can be set. The 900 you mention is a pre-
Vista number and also is only the policy settings available in the
administrative templates.
For examples: make machines accessible to only valid users,
make machines silent on the network, have login scripts for
users based on their user category, make sure all machines are
using correct DNS servers, etc. List out what are you major and
minor management objectives. Then see what GPOs have that
let you accomplish those objectives.
Now, granted, there is a chicken/egg aspect, and while I am saying
to emphasize a functional use case specification first, as one does
get more familiar with GP capabilities and shortfalls those will also
come into the picture early on, influencing what you spec as the major
and minor management objectives. However, starting at the other end,
the individual policy settings, is not the way to approach the issue.
Roger
"Edward" <Edward[ at ]discussions.microsoft.com> wrote in message
news:4F53B770-C8A2-4C24-B50E-2CF26C48A13D[ at ]microsoft.com...
[Quoted Text] > I'd like to start a thread concerning the high level planning for Group
> Policy deployment. In my particular situation I have been given the
> responsibility for deploying Group Policy (and AD) at a high school.
> While
> there is a blizzard of information about GP, it is all referential - what
> does this do, what does it effect, etc. I'm looking for a level 200 or
> 300
> discussion about the process.
>
> For example - there are over 900 group policies in the W2k3 excel
> spreadsheet reference. Trying to deploy all or most all at once is
> obviously
> silly. There must be some kind of rational, phased process for deploying
> these. Such a process, I would think, always, or nearly always, should be
> begin with some particular subset of policies, ie, Internet Explorer or
> Desktop or Restricted Software. Another subset would almost always be
> second, and third, and so on.
>
> I've never seen the process covered by any of the documentation provided
> by
> Microsoft, except in the most general way (Design AD, Design OU's, Create
> the
> test environment, etc.). This is not what I'm refering to.
>
> Anyone have a step 1 though n for the policies themselves?
|
|
"Roger Abell [MVP]" wrote:
[Quoted Text] >
> I get the impression that you are so-to-speak being blinded by the
> trees and failing to view the forest from overlooks in the terrain.
>
I'd use a different metaphor. I have come to think of a
complete Group Policy portfolio as the architectual plans for a multi-story
building. There are myriad specs in such plans for things like floors,
walls, engineering structures, windows, ventillation, electric, IP, etc. In
order for the final design to make sense, and no matter what the final use of
the building, there is still an underlying order to the development of the
design. I am looking for that order, which you begin to hint at in your
post, below.
> So, first one needs to decide what aspects one wants to manage,
> and rank these as to their importance. Think functionally.
The more I ponder the question, the more it seems that the
Security Guidelines for XP and Server should really be the first place to
start (and yes, I am assuming a well developed Vision/Scope doc), regardless
of the environment. These two docs seem to deal with foundational issues of
network functionality and domain wide network access issues. Microsoft
doesn't really take an emphatic position as to it's priority in the process.
Here's my burning question for you: Is there any justification for starting
elsewhere in a virgin domain?
> For examples: make machines accessible to only valid users,
> make machines silent on the network, have login scripts for
> users based on their user category, make sure all machines are
> using correct DNS servers, etc.
You present this as an alternative, but I think this may be an
essential starting point in the absence of some extraordinary circumstance,
which I obviously cannot even imagine. Do you agree? Above you actually
cite four functional examples. Shouldn't each be treated one at a time, in
terms of the design, test, rollout, evaluate cycle?
If you agree with everything above, I'm curious as to your preferred second
and third areas of focus, absent unusual considerations.
BTW, if you know of anyone who writes about process I'd be grateful.
Thank you.
|
|
Having read through Darren and Roger's posts, they have some really great
feedback.
I do believe that there is a belief that there is some golden boiler plate
for the process or rolling out Group Policy that can be generalized across
organiztions. This is simply not in-line with my experience. We spend quite a
bit of time with large, mid, small, enourmous, teeny, organizations and we
get quite a lot of opinions on how to approach Management. We talk to health
care, finance, education, military, government, manufacturing etc. etc.
etc... and again, the business tends to drive the approach to managability.
One point of your situation that I belive *can* be generalized is 'a Virgin
domain'. It is great to have a blank slate especially when 'learning to
navigate' the miriad of settings in Group Policy.
I really like Roger's functional areas and would treat them individually but
I have a slightly differnt approach that may prove useful.
1) When we define customer needs we tend to take the situation that
customers share with us and apply them to how an ITPro would address the need
with GP. What I mean is, JoeAdmin is chatting with his manager BigJoe. BigJoe
just got back from a three hour meeting talking about finances and saving
money and cutting operational costs etc. BigJoe got some information on how
much money is spent every year on power consumption. BigJoe asks JoeAdmin how
can we do better? How can we better manage power consumption. JoeAdmin goes
back to his cube and starts pondering.
This is (albeit a bit overused) a real scenario. JoeAdmin now is looking at
how managability is done and goes to GP to find if there a possible solution?
If it is not readily apparent, are there work arounds (Scripts, Software
Install Policy etc.)
2) BigJoe the IT manager is getting beat over the coals by buisiness leaders
becasue of low productivity. Regional Sales people come into an office and
sit down on a computer and the software they need is not there. the desktop
is setup completely differenty. IE is configured different than they are used
to, no favorites. It takes them way too much time to get the 'borrowed'
computer to a place where they can begin being productive. We need to fix
this, how can the user experience be predictable? Does this require a
'standard desktop' effort?
Again, way general, I appologize, but it is a real world situation that
companies and ITPros deal with quite often. JoeAdmin now needs to sit and
think through what possible solutions there are to this problem and Group
Policy is the center of his management envrionment. It is time to do some
research through the spreadsheet (for ADM) test out some of the other
extensions (SRP, SIP, Folder Redirection etc.), and begin to come up with a
plan. I belive as Darren mentions that the Common Scenarios document is a
great document here.
My point here with far too few scenarios is that when learning GP, starting
with the business probelem is helpful. If the learning is happening in the
absense of an actual probelm (which is great) make a few up.
I have worked with some very large educational institutes and one shared
this process with me that I thought was interesting. Not easy to implement
but this is what they wanted to achieve. Limit what students can run on
systems. Limit what they can do with IE or web in general. Provide access to
a common areas, with restrictions... If I am in sixth grade then when I open
up a short cut to a share that is located on my desktop I only see what is
avaialable for Sixth graders... if an eighth grader sits at the same computer
and logs on they have the same shortcut but when they go to that share they
see resources available for eighth graders...
I think learning through the scenarios is helpful becasue the learning is
tangible. You can really wrap your head around the problem and you are not
diving into the 'swimming pool' and overwhelmed with thousands of settings
and options.
I think these are probably a bit lower level but the 14-part web series on
Group Policy is very helpful and topic based so you can dive into part 7 for
your specific area of interest and get some tips. (www.microsoft.com/gp).
Anyway, this is turning into a stream of consiousness and my kids keep
reminding me that I am taking the day off!
Good luck Eduard and good conversation.
Kevin
"Edward" wrote:
[Quoted Text] > I'd like to start a thread concerning the high level planning for Group
> Policy deployment. In my particular situation I have been given the
> responsibility for deploying Group Policy (and AD) at a high school. While
> there is a blizzard of information about GP, it is all referential - what
> does this do, what does it effect, etc. I'm looking for a level 200 or 300
> discussion about the process.
>
> For example - there are over 900 group policies in the W2k3 excel
> spreadsheet reference. Trying to deploy all or most all at once is obviously
> silly. There must be some kind of rational, phased process for deploying
> these. Such a process, I would think, always, or nearly always, should be
> begin with some particular subset of policies, ie, Internet Explorer or
> Desktop or Restricted Software. Another subset would almost always be
> second, and third, and so on.
>
> I've never seen the process covered by any of the documentation provided by
> Microsoft, except in the most general way (Design AD, Design OU's, Create the
> test environment, etc.). This is not what I'm refering to.
>
> Anyone have a step 1 though n for the policies themselves?
|
|
"Edward" <Edward[ at ]discussions.microsoft.com> wrote in message
news:F762CAED-971F-430B-BFA9-5BF6AAD56230[ at ]microsoft.com...
[Quoted Text] > "Roger Abell [MVP]" wrote:
>>
>> I get the impression that you are so-to-speak being blinded by the
>> trees and failing to view the forest from overlooks in the terrain.
>>
> I'd use a different metaphor. I have come to think of a
> complete Group Policy portfolio as the architectual plans for a
> multi-story
> building. There are myriad specs in such plans for things like floors,
> walls, engineering structures, windows, ventillation, electric, IP, etc.
> In
> order for the final design to make sense, and no matter what the final use
> of
> the building, there is still an underlying order to the development of the
> design. I am looking for that order, which you begin to hint at in your
> post, below.
>
I think we are on the same page.
At your stage of the game I am suggesting that you need to
take an architectural view. The building architect knows
that there are specific requirements (habitable, safe, space
that is inviting, lighting needs for the different types of spaces,
etc. etc.). You know, or could discover, what is done currently
to provision computers, to customize user's environments, etc.
and similarly you likely know business and regulatory needs.
I was just suggesting that you should focus on these, and also
prioritize them in order to attempt GP implementation of them
in an appropriate sequence.
Similarly, on the architectural vein, AD is (still) primarily a
construct for admin/mgmt of the computing environment (i.e.
it has yet to be mainly a directory service). There is a great
interplay as a result in the way computers and users are placed
into the OU structure and the way the GP is applied to them.
In a more ideal world one gets to factor policy settings so
that they are stated once (in a single GPO) and this applies to
the appropriate subset of the OU structure, compared to having
the same policy value set in many different GPOs. So what I am
attempting to indicate is that you sound like you are wanting a
cookbook view of GP usage, and I am saying that how one uses
GPOs depends on things beyond how GP works and beyond
admin/mgmt objectives, especially the OU structuring.
>
>> So, first one needs to decide what aspects one wants to manage,
>> and rank these as to their importance. Think functionally.
>
> The more I ponder the question, the more it seems that the
> Security Guidelines for XP and Server should really be the first place to
> start (and yes, I am assuming a well developed Vision/Scope doc),
> regardless
> of the environment. These two docs seem to deal with foundational issues
> of
> network functionality and domain wide network access issues. Microsoft
> doesn't really take an emphatic position as to it's priority in the
> process.
> Here's my burning question for you: Is there any justification for
> starting
> elsewhere in a virgin domain?
>
Well, I am prejudiced when it comes to the guides you mention (as
you may notice my name in the acknowledgements). But yes, I feel
one can get some good ideas on how to use GP from the common
scenarios Darren mentioned and on policy settings that are important
for creating stable/safe deployments from those guides. However,
notice that the guides deal mostly with the "security options" and
make very little mention of settings in admin templates; the objective
of the guides is to assist in hardening against an unknown, assumed
hostile environment.
>> For examples: make machines accessible to only valid users,
>> make machines silent on the network, have login scripts for
>> users based on their user category, make sure all machines are
>> using correct DNS servers, etc.
>
> You present this as an alternative, but I think this may be an
> essential starting point in the absence of some extraordinary
> circumstance,
> which I obviously cannot even imagine. Do you agree? Above you actually
> cite four functional examples. Shouldn't each be treated one at a time,
> in
> terms of the design, test, rollout, evaluate cycle?
>
The examples I mentioned were just some things that came to mind,
and did not intend to indicate priority. I was suggesting that you look
at your environment (how computer/user provisioning is now done,
the organizational objectives and business needs, etc.) and list out
the different aspects that you hope to accomplish, and that you rank
them in importance. Then look at how GP might be used (or not) to
effect each. As you do that, you will start to see how some "fit" with
the OU structure, and how some must get shoehorned into/onto it.
> If you agree with everything above, I'm curious as to your preferred
> second
> and third areas of focus, absent unusual considerations.
>
My first area is to effect security and privacy; that is, to make sure
I have done what is possible to make sure systems stay as they should
be, are kept up-to-date, are resistant to penetration, are minimally
visible on the network, etc. and allow only the intended users to
have only the intended accesses.
My second area is to make the environment useful and convenient
to its users. (short sentence, big task)
There are obviously some unstated prereqs for these, like a healthy
network config and domain membership.
> BTW, if you know of anyone who writes about process I'd be grateful.
>
> Thank you.
|
|
Hi Kevin,
Nice insights. Good to see you in the newsgroups too!
Roger
"Kevin Sullivan (Microsoft)"
<KevinSullivanMicrosoft[ at ]discussions.microsoft.com> wrote in message
news:BD71DDD1-476D-45F4-BFB6-630AEF54221B[ at ]microsoft.com...
[Quoted Text] > Having read through Darren and Roger's posts, they have some really great
> feedback.
>
> I do believe that there is a belief that there is some golden boiler plate
> for the process or rolling out Group Policy that can be generalized across
> organiztions. This is simply not in-line with my experience. We spend
> quite a
> bit of time with large, mid, small, enourmous, teeny, organizations and we
> get quite a lot of opinions on how to approach Management. We talk to
> health
> care, finance, education, military, government, manufacturing etc. etc.
> etc... and again, the business tends to drive the approach to
> managability.
>
> One point of your situation that I belive *can* be generalized is 'a
> Virgin
> domain'. It is great to have a blank slate especially when 'learning to
> navigate' the miriad of settings in Group Policy.
>
> I really like Roger's functional areas and would treat them individually
> but
> I have a slightly differnt approach that may prove useful.
>
> 1) When we define customer needs we tend to take the situation that
> customers share with us and apply them to how an ITPro would address the
> need
> with GP. What I mean is, JoeAdmin is chatting with his manager BigJoe.
> BigJoe
> just got back from a three hour meeting talking about finances and saving
> money and cutting operational costs etc. BigJoe got some information on
> how
> much money is spent every year on power consumption. BigJoe asks JoeAdmin
> how
> can we do better? How can we better manage power consumption. JoeAdmin
> goes
> back to his cube and starts pondering.
>
> This is (albeit a bit overused) a real scenario. JoeAdmin now is looking
> at
> how managability is done and goes to GP to find if there a possible
> solution?
> If it is not readily apparent, are there work arounds (Scripts, Software
> Install Policy etc.)
>
> 2) BigJoe the IT manager is getting beat over the coals by buisiness
> leaders
> becasue of low productivity. Regional Sales people come into an office and
> sit down on a computer and the software they need is not there. the
> desktop
> is setup completely differenty. IE is configured different than they are
> used
> to, no favorites. It takes them way too much time to get the 'borrowed'
> computer to a place where they can begin being productive. We need to fix
> this, how can the user experience be predictable? Does this require a
> 'standard desktop' effort?
>
> Again, way general, I appologize, but it is a real world situation that
> companies and ITPros deal with quite often. JoeAdmin now needs to sit and
> think through what possible solutions there are to this problem and Group
> Policy is the center of his management envrionment. It is time to do some
> research through the spreadsheet (for ADM) test out some of the other
> extensions (SRP, SIP, Folder Redirection etc.), and begin to come up with
> a
> plan. I belive as Darren mentions that the Common Scenarios document is a
> great document here.
>
> My point here with far too few scenarios is that when learning GP,
> starting
> with the business probelem is helpful. If the learning is happening in the
> absense of an actual probelm (which is great) make a few up.
>
> I have worked with some very large educational institutes and one shared
> this process with me that I thought was interesting. Not easy to implement
> but this is what they wanted to achieve. Limit what students can run on
> systems. Limit what they can do with IE or web in general. Provide access
> to
> a common areas, with restrictions... If I am in sixth grade then when I
> open
> up a short cut to a share that is located on my desktop I only see what is
> avaialable for Sixth graders... if an eighth grader sits at the same
> computer
> and logs on they have the same shortcut but when they go to that share
> they
> see resources available for eighth graders...
>
> I think learning through the scenarios is helpful becasue the learning is
> tangible. You can really wrap your head around the problem and you are not
> diving into the 'swimming pool' and overwhelmed with thousands of settings
> and options.
>
> I think these are probably a bit lower level but the 14-part web series on
> Group Policy is very helpful and topic based so you can dive into part 7
> for
> your specific area of interest and get some tips. (www.microsoft.com/gp).
>
> Anyway, this is turning into a stream of consiousness and my kids keep
> reminding me that I am taking the day off!
>
> Good luck Eduard and good conversation.
>
> Kevin
>
> "Edward" wrote:
>
>> I'd like to start a thread concerning the high level planning for Group
>> Policy deployment. In my particular situation I have been given the
>> responsibility for deploying Group Policy (and AD) at a high school.
>> While
>> there is a blizzard of information about GP, it is all referential - what
>> does this do, what does it effect, etc. I'm looking for a level 200 or
>> 300
>> discussion about the process.
>>
>> For example - there are over 900 group policies in the W2k3 excel
>> spreadsheet reference. Trying to deploy all or most all at once is
>> obviously
>> silly. There must be some kind of rational, phased process for deploying
>> these. Such a process, I would think, always, or nearly always, should
>> be
>> begin with some particular subset of policies, ie, Internet Explorer or
>> Desktop or Restricted Software. Another subset would almost always be
>> second, and third, and so on.
>>
>> I've never seen the process covered by any of the documentation provided
>> by
>> Microsoft, except in the most general way (Design AD, Design OU's, Create
>> the
>> test environment, etc.). This is not what I'm refering to.
>>
>> Anyone have a step 1 though n for the policies themselves?
|
|
I would agree with what others said. Take it one step at a time. Write out
what groups you have, both users and computers and prioritize what rights
they need from least restrictive to most restrictive.
I like having a baseline policy that contains my basic settings for everyone
and then make slight changes to the policy depending on the group. Do not go
crazy with the settings. There are hundreds of different settings and if you
don't know what they are or how it will affects users, it can and will cause
a major headache. I like testing any policy on my pc before pushing it out
to everyone else.
I find it easiest to group users by a work function or department and the
same with workstations, by a specific location. There is really no right or
wrong way to do things. Just keep it simple, logical and making changes will
be easy.
Get a book and watch webinars online. Technet has some decent group policy
webinars you can view anytime and dozens of articles.
If anything, at least write out your groups on paper and visually see what
you are planning before you jump in head first.
"Edward" wrote:
[Quoted Text] > I'd like to start a thread concerning the high level planning for Group
> Policy deployment. In my particular situation I have been given the
> responsibility for deploying Group Policy (and AD) at a high school. While
> there is a blizzard of information about GP, it is all referential - what
> does this do, what does it effect, etc. I'm looking for a level 200 or 300
> discussion about the process.
>
> For example - there are over 900 group policies in the W2k3 excel
> spreadsheet reference. Trying to deploy all or most all at once is obviously
> silly. There must be some kind of rational, phased process for deploying
> these. Such a process, I would think, always, or nearly always, should be
> begin with some particular subset of policies, ie, Internet Explorer or
> Desktop or Restricted Software. Another subset would almost always be
> second, and third, and so on.
>
> I've never seen the process covered by any of the documentation provided by
> Microsoft, except in the most general way (Design AD, Design OU's, Create the
> test environment, etc.). This is not what I'm refering to.
>
> Anyone have a step 1 though n for the policies themselves?
|
|
|