|
Posted by boomboom999 on April 19, 2006, 2:46 pm
Please log in for more thread options
Is it a good practice to have one GPO per server in a mid-size
environment with about 100 member servers?
We want to control some User Rights and Local group membership via AD.
However, often application and service accounts are diff=E9rent from
server to server, so that makes to create exceptions from a basic GPO
policy.
What are good practices?
|
|
Posted by Schlarg Heimer on April 20, 2006, 5:41 pm
Please log in for more thread options
Hey Boom-boom,
I've just finished this very exercise at my company. Here's what we did.
We created a domain OU called "Servers" and sub-OUs based on the server role
(e.g. file server, IIS server, application server, etc). We then created a
_baseline_ group policy that contained the security settings that ALL of the
servers would have. We applied this baseline GP at the Server OU level. We
then created GPs for each of the server role types (e.g. file server, IIS
server, application server, etc) and then applied them to the corresponding
sub-OUs. At that point we incrementally populated the new OUs and watched
as the baseline and role based GPs took hold.
There are excellent role based baselines and inf template files available
from Microsoft so you don't have to do this all by hand. One thing I do
recommend, as always, is to read through all of the settings, understand
what they do and then test them in a lab environment. I used the RSOP tool
from Microsoft as well.
Here's a link to the documents and templates to get you started. I can
vouch for the efficacy of these first hand.
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
Good luck!
Schlarg, CISSP, MCSE
_____________________________________________________________________________________________
Is it a good practice to have one GPO per server in a mid-size
environment with about 100 member servers?
We want to control some User Rights and Local group membership via AD.
However, often application and service accounts are différent from
server to server, so that makes to create exceptions from a basic GPO
policy.
What are good practices?
|
| Similar Threads | Posted | | Need advice: Security GPO for member servers | April 19, 2006, 1:36 pm |
| deny login to member servers | April 11, 2006, 9:54 am |
| Default Shares on Member Servers | October 12, 2006, 5:47 pm |
| Security Configuration Advice | December 20, 2005, 3:00 am |
| How to have 2 security policies on one server | August 30, 2005, 8:11 am |
| Workstation Security Policies & RSoP | December 14, 2007, 9:08 am |
| What security policies effect tasklist.exe password prompt behavior? | February 29, 2008, 9:29 am |
| using security templates to harden servers | July 24, 2007, 5:25 am |
| advice on configuring a small network | March 2, 2006, 5:38 pm |
| Group permission AD advice needed. | September 8, 2007, 9:11 pm |
|
XML Sitemap