Re: Group Policy Object recommendations - newly migrating to AD

[Aaron Wade <agw8 () CORNELL EDU>]

Hi Todd,
        I administer the academic computing center in the college of engineering and
we run a fairly restrictive group policy environment.
        To answer your questsions:
1)      Some good basic GPO's are the ones that fit best with your environment.(not
the answer you were looking for, but it's true)
        Generic things to control are IE, registry editing tools, control
panel applets, basically prevent your users from altering any configuration
that you have set.  We run a "student" mandatory profile and we also
re-direct My documents to the users home directory Depending on what your
labs are used for, I'd suggest preventing access to .vbs extensions.  We have
also applied the securews.inf in the security configuration and analysis
utility.  We only allow read/execute access to the system32 and program files
directories.  We apply an IPsec filter GPO to each desktop that blocks smb/
netbios connections from outside of our subnet(in case our firewall happens
to go down).
        We are currently working on getting SMB packet signing applied to our entire
domain.


2) I don't maintain the work PC's but if I did, it would be in pretty much the
same manner and have in the past.

3) Since this applies to #1 as well, it has worked rather well, except for
applications that don't like to cooperate.  When that happens, we have to
find out what files/reg keys the app is trying to access/write and give the
neccessary permissions. (regmon and filemon)

4) We don't use GPO's for software, we tend to use ghost and ghost aibuilder.

5) We reserve monday mornings until 12pm for maintenance time.  During which
time we install software and patches on our imaging machine, and reghost the
lab.

HTH
-Aaron

--
Aaron Wade
Windows and Classroom Support Specialist
ACCEL/Engineering Library
Cornell University
MCSE,A+
mobile: 607.227.1067
office: 607.254.2721


On Thursday 08 July 2004 3:58 pm, you wrote:
> We are currently in the process of migrating to Windows 2003 w/Active
> Directory and are looking for some basic guidance or suggestions for group
> policies.
>
> Our students PCs in the residence halls are not part of the domain.  We are
> only concentrating on faculty/employee work PCs as well as our lab PCs.
> Students, Faculty, and employees are members of the domain.
>
> 1.  Any suggestions on some basic GPOs to use?
> 2.  How restrictive/unrestrictive are you with the work PCs?
> 3.  How has that worked or not worked for you (regarding question #2)?
> 4.  Do you use GPO to deploy software, updates, patches?
> 5.  What are your basic procedures for that?  (Certain nights of the week
> (PCs left on), during logon, etc.)
>
> In the higher ed environment things like this run hot and cold.  Not much
> middle ground.  We were just wondering how other institutions tackled these
> issues surrounding GPOs.
>
> I thank you for your advise in advance,
> Todd :)>
>
> -----------------------------
> Todd Gunter
> Director, Management Information Systems
> Information Technologies Project Manager
> 45 Ferry St
> Troy, NY 12180
> guntet () sage edu (work email)
> 518-857-6754 (cell)
> 518-244-2088 (office)
> 518-244-2460 (fax)
> ~~~ "If you focus on quality today, it will, in the long term, pay
> benefits" ~~~
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.