Precedence web site

Wiki Home

Support-KB-AD >> GPO

Jump To: Support > KB > AD > GPO

Group Policies - our way of doing things

In conjunction with Profiles and Login Scripts, Group Policies (commonly known as GPOs or Group Policy Objects) provide desktop security.

General rules of thumb:

  • Never have both user and computer configurations in one GPO - the action of this GPO will alter depending on where it is applied
  • Don't define the same basic setting in multiple GPOs - if you want to change the setting (e.g. IE proxy settings) you should not have to alter it in multiple places. Also if you remove a policy, the resultant settings for the user should revert to be unset not potentially switch to a different set
  • Give GPOs sensible names - calling them things like School policy is a pointless tautology (you know it's a policy and you know what your school is called) as well as completely uninformative
  • Don't define a new GPO for every setting - group settings into a small number of GPOs; it's unlikely that you would need to enable and disable each setting individually
  • Don't put every setting you require into one GPO - it's not uncommon for restrictions to cause software compatibility problems or to make troubleshooting more tricky, so you don't want to have to disable login scripts, desktop lockdowns, etc. just to get to test
  • Don't alter or overload standard GPOs by adding unrelated settings - Default Domain Policy usually defines little more than your password policy, leave it that way

Standard GPOs

These are our standard GPOs in alphabetical order

Block 16-bit applications

What it does: As it says, this stops 16-bit applications being run
Why: The 16-bit emulations (WoW) are cumbersome and can cause performance issues
Type: Computer
Where it is applied: Usually just for Terminal Servers
Notes:

Block all executables except necessary

What it does: Stops users running programs from their home areas, shared areas or removable areas
Why: To increase security and stop viruses
Type: User (Software Restriction Policy)
Where it is applied: Domain level or just for standard workstations and Terminal Servers
Notes: Beware software that installs in funny locations (i.e. not in Program Files) or running software from a central shares - these locations will need adding

Desktop Lockdown

What it does: Provides desktop security by removing access to unwanted features
Why: To stop people playing about
Type: User
Where it is applied: Filtered by group at the top level or just for Terminal Servers
Notes: Does not include any MS Office policies

Disable firewall

What it does: Disables the Windows firewall
Why: Because on a LAN it can do more harm than good
Type: Computer
Where it is applied: Top-level
Notes:

IE Proxy and Home page

What it does: Sets the standard pupil level proxy and home page
Why: Internet security
Type: User
Where it is applied: Top level often filtered by group
Notes: May be overridden for other groups (e.g. staff) by a later policy

Show drives BSUW

What it does: Locks down Explorer so that only certain drives are seen
Why: Stops access to system drives
Type: User
Where it is applied: Top level filtered by group
Notes: Use this tool to generate the .adm files. Will be renamed to reflect the actual list of drives available

Stop shutdown and event trackers

What it does: Stops Windows Server hassling you when you want to shutdown or reboot as well as offering to tell Microsoft about any software that has failed
Why: Because life is too short
Type: Computer
Where it is applied: Top level
Notes:

Terminal Servers

What it does: Sets loopback group-policy processing and disables autorun
Why: We often need different user policies on different machines or need to co-exist with existing setups. Disable autorun to stop software being installed without switching to install mode
Type: Computer
Where it is applied: Terminal Servers OU
Notes:

Additional GPOs

In addition to the standard GPOs above, you may see the following GPOS:

Make desktop read-only

What it does: Redirects the desktop to a read-only area
Why: With a mandatory profile files will get thrown away at log out
Type: User
Where it is applied: Anywhere that a mandatory profile is used
Notes:

Stop machine account changes

What it does: Stops Active Directory changing machine accounts automatically
Why: Because this breaks Provisioning Services
Type: Computer
Where it is applied: Provisioned workstations or servers
Notes:

Workstations

What it does: Enables loop-back group policy processing
Why: We often need different user policies on different machines
Type:Computer
Where it is applied: Standard fat-client OU
Notes:

XenApp session limits

What it does: Sets disconnection and idle limits
Why: To save setting them on each server individually
Type: Computer
Where it is applied: Terminal Servers
Notes:

Precedence Technologies Ltd, 120 Cambridge Science Park, Milton Road, Cambridge, UK | Tel: 08456 446 800
Edit - History - Print - Recent Changes - Search
Page last modified on August 08, 2010, at 07:57 PM by sborrill