Group Policy help

[Ironman273]

A project was just dumped on my lap that I have to start doing research for.  Basically it is to set up group policy for a small network (1 server, 18 workstations) with what I would assume is standard practices, like users don't get admin rights, mapped network drives, possibly having their My Documents folders stored on the server.  Where could I start getting information on this?  I've done some searching but I can't seem to find what I'm looking for.

[+BudMan MVC]

https://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

 

What is your AD server? 2k3, 2k8, 2k12?

[sc302 Veteran]

users don't get admin rights by default.

 

you can use the gpo or a logon script to map drives

 

you would use a policy to redirect my docs to the server.  if they are desktops or laptops that don't leave the campus I would recommend disabling offline folders.

[Ironman273]

https://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

 

What is your AD server? 2k3, 2k8, 2k12?

Thanks, I'll start reading through that.  It's Server 2012.

 

users don't get admin rights by default.

 

you can use the gpo or a logon script to map drives

 

you would use a policy to redirect my docs to the server.  if they are desktops or laptops that don't leave the campus I would recommend disabling offline folders.

Some users now do have admin right, I'd like to use GPO, and yes, they're all stationary computers, no laptops.  I need to figure out other settings that I may not be thinking about so if anyone has any suggestions like "don't forget to set this" or "I would recommend that" I'm all ears!

[Intersect]

Thanks, I'll start reading through that.  It's Server 2012.

 

Some users now do have admin right, I'd like to use GPO, and yes, they're all stationary computers, no laptops.  I need to figure out other settings that I may not be thinking about so if anyone has any suggestions like "don't forget to set this" or "I would recommend that" I'm all ears!

lock off access to the command line in GPEDIT for a start unless your user group has been configured to do that allready

[sc302 Veteran]

absolutely take them out of administrators...unfortunately there is not remove all and add back in this or that group....you did it manually to enable them, you must do it manually to remove them. 

 

easy enough simply by looking around.   I like text representation, as I can do everything from a single script as far as mappings go, it is easier for me to identify where and when things are getting mapped and if there are any issues, easily debugging the script in case there is any overlap between users or departments. 

 

 

my script looks something like this...this is a single file vs multiple gpos to map drives based on group membership or a barrage of gpo's mapping drives for each department.  It is faster for me to create a file than it is for me to create gpos and link them for this...some people like gpos.

 

 

*****the following maps common drives for all users

use g: \\servername\public

use t: \\servername\training

 

****below are departmental mappings

if ingroup hr

use h: \\servername\hr

endif

 

if ingroup management

use m: \\servername\management

endif

 

if ingroup legal

use l: \\servername\legal

endif

 

if ingroup finance

use i: \\servername\finance

endif

 

Doing this I can easily see in one location the drive mappings.  It will skip the mapping if they are not a member of those specific named AD groups.  If needed I can run a debug against that so that the script runs line by line until there is an error and I can see exactly what line is stopping the script or stopping the user from being mapped or if the script is mapping the user with a drive and that drive is being overwritten by another part of the script.  It takes seconds to minutes to troubleshoot the script.  I can apply this either in a gpo or in the user profile tab. 

 

Do not use the syntax above, it is just a sample and will not function natively. 

[thechronic]

1. Open Active Directory
2. Create Groups for Each User type (Receptionists, Students, Teachers for example)
3. Place Users into Group
4. Configure Group Policy for that particular group
5. Create Test User for each group (ie; for User Group called Students place a user into that group called Student)
6. Login to Workstations with Test Account and check Group Policy settings have applied (ie: No Shutdown, Task Manager, Preset Wallpaper and Theme settings)

You want to look for guides on 'Roaming User Profiles' and 'Folder Redirection' on youtube.

 

Remember to set the correct permissions for the folders on the server where the user files will be stored otherwise they will not be able to write/read files to these directories.

 

It's been so long since i've done this i can't really be of any more use.

[Ironman273]

Would this be the best way to reset GPO before I start making changes?:
 

Issue this command to reset GPO settings to their defaults (enter thisas one line):

secedit /configure /db reset /cfg

[sc302 Veteran]

That will reset local policies. Domain policies will be pushed down again by domain controllers.

[Ironman273]

Thanks!  I was thinking last night that a better idea might be to create a new group (all workstations will have the same GPO) and then move the users out of their old group and into the new one.  

[sc302 Veteran]

There are two main portions to group policy. Computer configuration and user configuration. The computer section applies to computers only, they can't apply to users. The user section applies to users and can't be applied to computers. Often people try to get computer configuration to apply to users or user groups and don't understand why it doesn't work.

[Ironman273]

So from my understanding what I'm trying to accomplish is user configurations, so regardless of where the user logs on from (although 99.9% of the time it'll be from "their" computer) the policies apply to them.

[sc302 Veteran]

Yes, as long as it is a domain joined computer.