Ironman273 Posted June 4, 2015 Share Posted June 4, 2015 A project was just dumped on my lap that I have to start doing research for. Basically it is to set up group policy for a small network (1 server, 18 workstations) with what I would assume is standard practices, like users don't get admin rights, mapped network drives, possibly having their My Documents folders stored on the server. Where could I start getting information on this? I've done some searching but I can't seem to find what I'm looking for. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 4, 2015 MVC Share Posted June 4, 2015 https://technet.microsoft.com/en-us/windowsserver/bb310732.aspx What is your AD server? 2k3, 2k8, 2k12? Ironman273 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted June 4, 2015 Veteran Share Posted June 4, 2015 users don't get admin rights by default. you can use the gpo or a logon script to map drives you would use a policy to redirect my docs to the server. if they are desktops or laptops that don't leave the campus I would recommend disabling offline folders. Link to comment Share on other sites More sharing options...
Ironman273 Posted June 4, 2015 Author Share Posted June 4, 2015 https://technet.microsoft.com/en-us/windowsserver/bb310732.aspx What is your AD server? 2k3, 2k8, 2k12? Thanks, I'll start reading through that. It's Server 2012. users don't get admin rights by default. you can use the gpo or a logon script to map drives you would use a policy to redirect my docs to the server. if they are desktops or laptops that don't leave the campus I would recommend disabling offline folders. Some users now do have admin right, I'd like to use GPO, and yes, they're all stationary computers, no laptops. I need to figure out other settings that I may not be thinking about so if anyone has any suggestions like "don't forget to set this" or "I would recommend that" I'm all ears! Link to comment Share on other sites More sharing options...
Intersect Posted June 4, 2015 Share Posted June 4, 2015 Thanks, I'll start reading through that. It's Server 2012. Some users now do have admin right, I'd like to use GPO, and yes, they're all stationary computers, no laptops. I need to figure out other settings that I may not be thinking about so if anyone has any suggestions like "don't forget to set this" or "I would recommend that" I'm all ears! lock off access to the command line in GPEDIT for a start unless your user group has been configured to do that allready Ironman273 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted June 4, 2015 Veteran Share Posted June 4, 2015 absolutely take them out of administrators...unfortunately there is not remove all and add back in this or that group....you did it manually to enable them, you must do it manually to remove them. easy enough simply by looking around. I like text representation, as I can do everything from a single script as far as mappings go, it is easier for me to identify where and when things are getting mapped and if there are any issues, easily debugging the script in case there is any overlap between users or departments. my script looks something like this...this is a single file vs multiple gpos to map drives based on group membership or a barrage of gpo's mapping drives for each department. It is faster for me to create a file than it is for me to create gpos and link them for this...some people like gpos. *****the following maps common drives for all users use g: \\servername\public use t: \\servername\training ****below are departmental mappings if ingroup hr use h: \\servername\hr endif if ingroup management use m: \\servername\management endif if ingroup legal use l: \\servername\legal endif if ingroup finance use i: \\servername\finance endif Doing this I can easily see in one location the drive mappings. It will skip the mapping if they are not a member of those specific named AD groups. If needed I can run a debug against that so that the script runs line by line until there is an error and I can see exactly what line is stopping the script or stopping the user from being mapped or if the script is mapping the user with a drive and that drive is being overwritten by another part of the script. It takes seconds to minutes to troubleshoot the script. I can apply this either in a gpo or in the user profile tab. Do not use the syntax above, it is just a sample and will not function natively. Ironman273 1 Share Link to comment Share on other sites More sharing options...
thechronic Posted June 4, 2015 Share Posted June 4, 2015 Open Active Directory Create Groups for Each User type (Receptionists, Students, Teachers for example) Place Users into Group Configure Group Policy for that particular group Create Test User for each group (ie; for User Group called Students place a user into that group called Student) Login to Workstations with Test Account and check Group Policy settings have applied (ie: No Shutdown, Task Manager, Preset Wallpaper and Theme settings) You want to look for guides on 'Roaming User Profiles' and 'Folder Redirection' on youtube. Remember to set the correct permissions for the folders on the server where the user files will be stored otherwise they will not be able to write/read files to these directories. It's been so long since i've done this i can't really be of any more use. Intersect and Ironman273 2 Share Link to comment Share on other sites More sharing options...
Ironman273 Posted June 5, 2015 Author Share Posted June 5, 2015 Would this be the best way to reset GPO before I start making changes?: Issue this command to reset GPO settings to their defaults (enter thisas one line): secedit /configure /db reset /cfg Link to comment Share on other sites More sharing options...
sc302 Veteran Posted June 5, 2015 Veteran Share Posted June 5, 2015 That will reset local policies. Domain policies will be pushed down again by domain controllers. Link to comment Share on other sites More sharing options...
Ironman273 Posted June 5, 2015 Author Share Posted June 5, 2015 Thanks! I was thinking last night that a better idea might be to create a new group (all workstations will have the same GPO) and then move the users out of their old group and into the new one. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted June 5, 2015 Veteran Share Posted June 5, 2015 There are two main portions to group policy. Computer configuration and user configuration. The computer section applies to computers only, they can't apply to users. The user section applies to users and can't be applied to computers. Often people try to get computer configuration to apply to users or user groups and don't understand why it doesn't work. Link to comment Share on other sites More sharing options...
Ironman273 Posted June 5, 2015 Author Share Posted June 5, 2015 So from my understanding what I'm trying to accomplish is user configurations, so regardless of where the user logs on from (although 99.9% of the time it'll be from "their" computer) the policies apply to them. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted June 5, 2015 Veteran Share Posted June 5, 2015 Yes, as long as it is a domain joined computer. Link to comment Share on other sites More sharing options...
Recommended Posts