I'm green when it comes to GPOs, advice please.

  • Thread starter Thread starter TheSingingCat
  • Start date Start date
T

TheSingingCat

Hi gents,

I've been using NT for a long, long time, but only marginally touched on
group policies in NT 4.0, I see in 2003 they've come a long way. I am
looking for a good method of setting up a GPO presumably using filtering to
apply the rules against my users. Our domain is running in 2003 native
mode, I have set up no OUs in the domain, rather just using existing
containers (users,computers, builtin etc.).

We have our Default Domain Policy GPO and I've setup another one called
IEProxyGPO. Basically, IEProxyGPO fills in IE proxy settings with 127.0.0.1
to eliminate internet access (and blocks tab access). I have filtered
security for the gpo by removing authenticated users and created a domain
global group called IEProxyUsers and add users into that group who should
not have access to the internet (80/100 staff). The for the policy
security, I check Read and Apply Policy settings for that group.

Is this sort of the norm or a screwball way of doing this - creating a
domain level gpo for this? (keeping in mind we're not running ISA server).
I just don't think breaking up users into OUs would really be of use to me.
Having said that, I am new to this and might just be missing part of the
larger picture.

Thx.

tsc
 
Hi

Nah you've pretty much got it. You apply GPO's at the level that they need
to be so that you minimise repetition. The alternative would be to create
an OU and put all users who should receive these settings in that OU. Next
you link the GPO to that OU and unlink it at the domain level. By doing it
this way, you eliminate the need for filtering by security ... possibly
easier to manage and track down issues should they arise.

The good news is that you haven't mucked around with the Default Domain
Policy which is generally a good thing.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thanks Mark, if I could pick your brain on one last matter -- This GPO
(ieproxygpo) only seems to be applied when the user logs on. I've waited
well over the refresh interval and the IE proxy settings remain blank. I
was under the impression this would automatically update with the new
enforced settings within 120min and only folder redirection and software
install polices required a logon.

A lot of users here just lock their workstations for the night and it could
be weeks before they reboot or log off for some reason. The specific
setting I am trying to enforce is located at:

Userconfig>WindowsSettings>InternetExploreMaint.>connection>Proxy Settings

Then I also check:

AdminTemplate>WindowsComponents>InternetExplorer "Disable Changing Proxy
Settings" = Enabled

I don't get why this isn't automatically updating the browser until log on.

Thank you,

tsc
 
N/M - they are being applied -- just the time interval is much longer than I
thought I read it was. It seems to refresh approximately every 12 hours on
the clients.
 
Hi

The Internet Explorer maintenance policy ususally applies only when the
policy has been edited or if it hasn't been applied before. To change this
behaviour, refer to:

306915 Internet Explorer Maintenance Group Policies Do Not Apply During
http://support.microsoft.com/?id=306915

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top