Design Question...

  • Thread starter Thread starter Duncan.
  • Start date Start date
D

Duncan.

Hi all,

I'm after some advise.
I have a small network, about 2000 desktops spread evenly
across three sites. There are 2 DC's each site.
These users tend to logon at similar times, they probably
all login between 7am and 10am every morning and logout
between 4pm and 7pm each evening.
I need to apply a lock down policy, however there are
going to be some people which will need to be excluded.
There will also be instances for example where a user
might want to just have part of the restriction removed,
such as access to the command prompt.

I've thought about setting the default domain policy to
allow everything, such as access to the command prompt.
Then creating another policy which denies access and
applying this to a group.
This way all the users in the group are denied access to
the cmd until they are removed from the group.
It also means that all the GPO's are linked at the same
place, (the domain level).

So.. what do you think, is this a good model.
Also.. how many GPO's do you think I should apply to users?
I don't want to effect logon times too much.

Any comments will be gratefully received.

Regards,
Dunc.
 
-----Original Message-----
Hi all,

I'm after some advise.
I have a small network, about 2000 desktops spread evenly
across three sites. There are 2 DC's each site.
These users tend to logon at similar times, they probably
all login between 7am and 10am every morning and logout
between 4pm and 7pm each evening.
I need to apply a lock down policy, however there are
going to be some people which will need to be excluded.
There will also be instances for example where a user
might want to just have part of the restriction removed,
such as access to the command prompt.

I've thought about setting the default domain policy to
allow everything, such as access to the command prompt.
Then creating another policy which denies access and
applying this to a group.
This way all the users in the group are denied access to
the cmd until they are removed from the group.
It also means that all the GPO's are linked at the same
place, (the domain level).

So.. what do you think, is this a good model.
Also.. how many GPO's do you think I should apply to users?
I don't want to effect logon times too much.

Any comments will be gratefully received.

Regards,
Dunc.
.
Duncan,

Without speaking to the "content" of the post, you can not
apply GPOs to groups. I am sure that you meant that you
would apply the GPO and use that security group to filter
the GPO.

Remember, by default, the "Authenticated Users" has both
read and Apply Policies rights to the GPO.
The "Authenticated Users" group affects everyone
authenticated by a DC. If you create a Security Group,
throw the desired user accounts in the Group and then on
the Policy itself go to the Security tab and remove the
Authenticated Users entry and replace it with that
Security Group that you just created.

Now, to the "content". If some people need to be excluded
from the lock down policy simply do not add them to that
group. This is the great thing about being able to filter
the GPO by way of Security Groups. Again, for this to be
effective you need to remove the "Authenticated Users"
group.

It is also a really smart move to leave the Default Domain
Policy alone. You can indeed change the Default Domain
Policy all that you like ( as with the Default Domain
Controller Policy ) but you run the danger of messing
things up....

While I am here - make sure that you have the Sites set up
correctly in Active Directory Sites and Services. Also,
make sure that you have associated each and every site
with the appropriate Site. This way your clients will
typically authenticate to their "local" DC. However, do
be aware that the possiblity exists that DCs will create
a "generic" record ( take a look at the MS Knowledge Base
using "generic records" as the search parameter ) so it is
possible that workstations in SiteA will authenticate to a
DC in SiteB.

Does this help you any?

Cary
 
Back
Top