Thanks again for your help Steven, I'll take a look at those articles. I've
already subscribed to one of the ISA newsgroups, so reading through the
history of that group for questions and answers.
I'm sure I'll be posting back agian some time for more help on the group
policies - it's still in a test environment at the moment.
Thanks again, it's appreciated.
Ste
| There are some ISA newsgroups that would be very helpful but basically the
clients on
| the network need to point to the ISA server internal network address as
their default
| gateway and then the clients will be subject to rules on the ISA server.
The link
| below is a great resource on ISA. Good luck. --- Steve
|
|
http://isaserver.org/articles_tutorials/configuration_general/
|
| | > Thanks Steven. We're using Microsoft ISA Server with Small Business
Server
| > 2000, so there's definitely plenty of rules that we can implement
Though
| > this might be a bit beyond me so we might have to call out IT
consultants.
| > The problem is that as we're a small charity, we've got a very limited
| > budget, so that's why I try and do most things myself - but anything to
| > tricky, and I'll make that phone call.
| >
| > I did create some reports in ISA, but they don't seem to show user
internet
| > activity - I believe the reason for this is because the default gateway
for
| > each user is the ADSL router's IP address, rather than the server
itself.
| > Not sure how to change this though, but it's probably a post for the ISA
| > group! ;-)
| >
| > Thanks again,
| >
| > Ste
| >
| >
| > | > | Sounds good. Keep in mind that your firewall configuration can also be
a
| > major
| > | contributor to users not using unauthorized internet applications.
Either
| > try to use
| > | a default block all outbound access rule and then create the
exceptions
| > for
| > | authorized traffic. If your firewall can not do that, consider getting
| > another one as
| > | they have really dropped in price and $350 can get you a good SOHO
unit.
| > Otherwise
| > | see if your existing one can at least block some outbound traffic -
even
| > the $80
| > | routers from Neatger, Linksys, etc can do a pretty good job of that
these
| > days. Good
| > | luck. --- Steve
| > |
| > |
| > | | > | > Thanks for that again Steve, and I'll take note of your two
approaches.
| > | > I've only added some basic global policies at the moment, but will
start
| > to
| > | > add more on a development PC using a test user account. The overall
aim
| > is
| > | > to only let people do and use what they need for the job.
Hopefully,
| > the
| > | > days of getting paid to chat on Yahoo Messenger all day are over...
;-)
| > | >
| > | > Thanks,
| > | >
| > | > Ste
| > | >
| > | >
message
| > | > | > | > | Sounds like you have a grasp of things. When you create a Group
Policy
| > | > [GPO] you can
| > | > | "link" it to more than one container/OU. The highest GPO takes
| > precedence
| > | > with
| > | > | defined settings. You could either create two sub OU's within your
| > level 1
| > | > OU and
| > | > | simply create the GPO you want for each sub OU and put users into
the
| > | > appropriate OU
| > | > | and Group Policy would flow down through the sub OU's. Or you
could
| > have
| > | > three OU's
| > | > | and then have the low restriction policy level linked to each OU
with
| > | > additional GPO
| > | > | for second level OU and all three GPO's linked the third level OU
with
| > | > high
| > | > | restrictions with the OU specific to that OU at the top of the
| > st. ---
| > | > Steve
| > | > |
| > | > |
| > | > | | > | > | > Thanks for the reply and advice Steven. At the moment, I've
| > disabled
| > | > the
| > | > | > computer parts of the group policies because I'm only specifying
| > user
| > | > | > policies, and I read in a book that this helps to speed up the
| > | > application
| > | > | > of these policies when the user logs on.
| > | > | >
| > | > | > When I set OU's such as Level 1, 2, & 3, they are basically the
same
| > as
| > | > | > Employees, Managers, Admins; it's just that I'm naming them
| > differently.
| > | > | > What I'd like to do is to set up a level 1 policy (low
restriction),
| > | > then
| > | > | > copy this policy to a brand new policy in level 2 - I could then
| > have a
| > | > | > starting point to go on from, rather than enforce everything I'd
| > done in
| > | > | > level 1 first, then add my next restrictions in level 2.
| > | > | >
| > | > | > At the moment, my active directory of users and computers is
like
| > this:
| > | > | >
| > | > | > mycompany (domain, and contains the unedited default domain
policy)
| > | > | > > MyCompanyPolicies (OU containing my global policies)
| > | > | > > Level 1 (low restrictions)
| > | > | > > Level 2 (medium restrictions)
| > | > | > > Level 3 (high restrictions)
| > | > | >
| > | > | > I assume that I'm on the right track with this (?), but will
keep
| > | > reading
| > | > | > the links and other resources that I find.
| > | > | >
| > | > | > Thanks,
| > | > | >
| > | > | > Ste
| > | > | >
| > | > | >
| > message
| > | > | > | > | > | > | Keep in mind there are two parts to Group Policy - computer
and
| > user
| > | > and
| > | > | > that they
| > | > | > | need to reside in the container where the policy is applied.
Also
| > for
| > | > | > domain users,
| > | > | > | password/account policy can only be applied at the domain
level.
| > OU
| > | > policy
| > | > | > that has
| > | > | > | "defined" settings will override the same settings defined at
the
| > | > domain
| > | > | > level. If
| > | > | > | there is a setting defined at the domain level and not at the
OU
| > | > level,
| > | > | > the setting
| > | > | > | will still apply to a user/computer in the OU in a default
| > | > installation.
| > | > | > |
| > | > | > | You may want to consider setting global polices that you want
to
| > apply
| > | > to
| > | > | > everyone at
| > | > | > | the domain level and then use your three OU's and name them
| > something
| > | > | > appropriate
| > | > | > | that distinguishes each by a role that applies to your
office -
| > | > | > | employees/managers/admins etc. or sales/admin/production
etc. ---
| > | > Steve
| > | > | > |
| > | > | > |
| > | > | >
| > | >
| >
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
| > | > | > |
| > | > | >
| > | > |
| > | >
| > |
| >
|
http://www.microsoft.com/resources/...erver/reskit/en-us/distsys/part4/dsgch22.mspx
| > | > | > |
message
| > | > | > | | > | > | > | > Hi there,
| > | > | > | >
| > | > | > | > I'm about to start applying Group Policies to our network (1
| > server
| > | > and
| > | > | > 8
| > | > | > | > users) as it's currently an open system that's facing a lot
of
| > | > abuse.
| > | > | > | >
| > | > | > | > However, I'm looking for some ideas on managing this, and in
| > | > particular,
| > | > | > how
| > | > | > | > I should be arranging the OU's, being just a single small
| > office.
| > | > | > | >
| > | > | > | > I've thought about having an OU that had global policies,
then
| > have
| > | > | > three
| > | > | > | > separate OU's that contained Level 1, 2 and 3 polices of
| > differing
| > | > | > degrees
| > | > | > | > of group policies (low, medium, high). But if I do this,
I'm
| > | > finding
| > | > | > that
| > | > | > | > it's difficult to remember what each Level contains, and
it's
| > | > getting
| > | > | > quite
| > | > | > | > messy.
| > | > | > | >
| > | > | > | > Are there any websites that show some good practice and
| > organisation
| > | > for
| > | > | > | > this?
| > | > | > | >
| > | > | > | > Thanks for any help, it's appreciated.
| > | > | > | >
| > | > | > | > Regards,
| > | > | > | >
| > | > | > | > Stephen
| > | > | > | >
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
