7

I have set about 10 group-policies, and it works OK. Although, it would be interesting to see what kind of things IT-administrators enforce.

If you have a ton of policies, just show some, that you feel really changes something.

I guess you could avoid "default permit" -> block everything you can, and only keep things unlocked, that is directly needed.

This question refers to Windows Servers :) Although I won't shun Mac nor Linux administrators.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
caspert
  • 683
  • 2
  • 11
  • 18

3 Answers3

7

I love Group Policy. It makes me able to do my job and to allow my company to leverage the collective talents of 3 people over more than 1,000 PCs and server computers in multiple Customer sites.

Nearly every one of my Customers has the majority of the following uses of Group Policy:

  • Install software with Software Installation policy
  • Install software with startup scripts
  • "Work over" machines' factory Windows installations after their initial domain membership with a one-time startup script (Add/Remove Windows components, clean up the start menu, reomve unwanted vendor-provided software, etc)
  • Setup the "user environment" (Folder Redirection, Group Policy preferences to put out registry preferences, desktop shortcuts, etc)
  • When appropriate, "locking down" the user environment (for kiosks, special-purpose PCs, etc)
  • Directing computers to WSUS servers and setting update policies
  • Setting IPSEC policy settings
  • Deploying wireless Ethernet settings (the corporate SSID and security configuration, etc)
  • Logon scripts to "map" "drives"
  • Logon scripts to clean out per-user "temp" directories, and startup scripts to clean out per-machine "temp" directories
  • Restricted group policy to populate local groups with domain groups
  • Control third-party applications that use registry settings to influence their behaviour through creation of custom Administrative Templates
  • Doing ANY type of misc. maintenance, either per-machine or per-user, that I need to do via startup or logon scripts

That's my "off the top of my head" list. I'll come back and revise if I think of more.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
4

We use group policy to:

  1. Point workstations to our WSUS server
  2. Run a program that checks if the antivirus software is installed and if not, install it
  3. Disable registry editing
  4. Set Office security level
  5. Set ODBC connections
  6. Redirect a user's Desktop and My Documents to a file server
  7. Map network drives
  8. Set power saving settings (out monitors, hard drives and computer to sleep after xx minutes)
  9. Check versions of in-house applications
  10. Disable iTunes, Windows Media Player, VLC, etc.
  11. Set disk space quotas

[EDIT] Added the following:

  1. Enforce password policy
  2. Standardize desktop wallpaper and screen savers

And a few others I can't remember off the top of my head.

2

Quite a few; they tend to ping-pong between low numbers and high numbers. Right now the numbers are high on account of a number of WSUS policies that need to be consolidated. I don't think GPOs are the kind of thing that are ever really "finished", but instead get constant fine-tuning and refinement as time goes by.

Primary uses include:

  • Desktop lockdown
  • Software installation
  • Logon (and logoff) scripts
  • Startup (and shutdown) scripts
  • WSUS config
  • Passwords/security/etc
  • Folder redirection

One - maybe - novel use is a logon script that (1) checks if the computer is a server, (2) checks if the user is a "sensitive" one that we want to track, and (3) sends an email to our admins giving computer name, user name and time if either condition is met. We call it "proactive paranoia" and while it's not exactly security, it is an extra layer of comfort in that we know a little bit more about what's going on.

We also maintain some dummy OUs in our live AD that we occasionally drop some users and/or computers into for testing out new stuff, and have a small army of scripts that we can add anywhere for certain one off jobs (e.g if we feel like defragging all PCs any time we can just drop in a shutdown script for it).

Future plans include moving a lot of the vile registry hacks and maybe some other stuff from our main logon script over to Preferences.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36