We have a group of Group Policy Objects that we create by default with all of our SBS 2008 installations.
The following is the base SBS 2008 GPO map we keep in Visio 2007 Professional:
SBS 2008 MPECS’ Default GPOs
We create and link the GPOs that are italicized:
- Default Computers Policy
- Security settings to apply to all systems connected to the domain.
- Terminal Services specific settings for remote desktop users.
- Default Printer Deployment Policy
- Used to deploy printers to Windows Vista and XP Professional clients.
- Windows SBSComputers Policy
- Any settings that need to apply specifically to domain workstations.
- Windows SBSUsers Policy
- User specific settings such as publishing BGInfo (previous blog post), Screensaver lockdowns, and more.
When there is a need, we will add other OUs and create and link GPOs to them to make things a lot more granular. An example would be for systems that need specific security settings based on the department the systems reside in.
Using Group Policy Preferences, we are also able to fine tune the user experience with things like customized mapped drives, printer access, local admin user setup, and more.
In the case of SBS 2008, we leave the default GPOs alone, since there is a demonstrated impact on migrating an SBS 2008 domain from the existing SBS 2008 to a new SBS 2008: SBS 2008 to SBS 2008 Migration Fails When "Windows SBS User Policy" Edited.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book