Tuesday 24 March 2009

SBS 2008 – MPECS’ Default Group Policy Object Additions

We have a group of Group Policy Objects that we create by default with all of our SBS 2008 installations.

The following is the base SBS 2008 GPO map we keep in Visio 2007 Professional:

09-03-23 SBS 2008 - Default GPOs

SBS 2008 MPECS’ Default GPOs

We create and link the GPOs that are italicized:

  • Default Computers Policy
    • Security settings to apply to all systems connected to the domain.
    • Terminal Services specific settings for remote desktop users.
  • Default Printer Deployment Policy
    • Used to deploy printers to Windows Vista and XP Professional clients.
  • Windows SBSComputers Policy
    • Any settings that need to apply specifically to domain workstations.
  • Windows SBSUsers Policy
    • User specific settings such as publishing BGInfo (previous blog post), Screensaver lockdowns, and more.

When there is a need, we will add other OUs and create and link GPOs to them to make things a lot more granular. An example would be for systems that need specific security settings based on the department the systems reside in.

Using Group Policy Preferences, we are also able to fine tune the user experience with things like customized mapped drives, printer access, local admin user setup, and more.

In the case of SBS 2008, we leave the default GPOs alone, since there is a demonstrated impact on migrating an SBS 2008 domain from the existing SBS 2008 to a new SBS 2008: SBS 2008 to SBS 2008 Migration Fails When "Windows SBS User Policy" Edited.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

1 comment:

stryqx said...

That's fairly similar to what I do.

I tend to prefix my GPOs with the client's business name to make it easier to see what's been added specific to the client installation. Very handy when it came to SBS2K3->SBS2K8 migration.

I also link certain GPOs to the MyBusiness OU and use the security filtering capabilities of the GPO rather than rely solely on OU placement. Very useful, as a user/computer can belong to multiple security groups but only be placed in one OU.

I also link GPOs to sites where I have multiple networks. Useful for branch offices with their own site-specific requirements.

This then minimises OU creation and the need to perform user/computer moves into OUs after account creation.

The final point to make is that Microsoft recommend that GPOs contain only a handful of settings and to create a new GPO when making changes and to disable the link for the old settings, thus creating a version history of sorts. Not so important now with annotations in W2K8, or with AGPM in the Desktop Optimization Pack.

+1 on leaving the default GPOs alone. Leads to a world of pain.