none
Implimenting new SCM GPO's in Parallel with old W2K3 ones RRS feed

  • Question

  • We have a mixed Windows environment, with XP, some Windows 7, W2K3, W2K8 SP2 and W2K8 R2, with domain and forest functional level at W2K3.

    How would I implement new GPO’s created via SCM v2 within this lovely environment?

    As these SCM GPO’s only apply to W2K8 and W7, I was thinking of not touching the existing GPO’s and just linking these additional ones in? But what will happen with the ‘Default Domain’ policy, as there can only be one?

    Tuesday, September 27, 2011 9:02 PM

Answers

  • Cosmo;

    One of the great strengths of AD-based group policy is its tremendous flexibility. However that also means it can be extremely complex, especially in environments with so many different versoins of Windows. I don't know enough about your network and business requirements to tell you categorically "you should do this!" You could write several pages explaining everything about it but frankly I'd  still be uncomfortable telling you "do it this way" because I really don't know your business well enough. For specific assistance you'd need to hire a consultant:)

    I am happy to discuss this challenge in general terms, but understand that I'm being hypothetical. Also remember that other AD experts may disagree with me. What I would do is leave what you have alone, don't delete or modify your existing GPOs, this way you can undo whatever changes your new baselines and GPOs implement. Second, I would create a second domain policy with password and account lockout policies and assign a higher precedence to the new one over the 'default domain policy.' third, I would be careful about pushing settings out broadly, be sure to test. The security option settings tend to cause application compatibility problems becuase they change the way windows handles authentication, authorization, and encryption. The browser settings tend to cause different kinds of problems with browser-based business apps. So test as much as you can. Fourth, Jose and I have been trying to aligh the baselines across all the versions of Windows, you can see that higher degree of alignment for the Windows Server baselines. But we haven't released the updated baselines for the Windows Client operating systems yet,  those will be released as a beta in a month or two and the final version a month or two later. I suggest that you focus your efforts on the server configurations now and wait until we release the beta before tackling Windows 7, Vista, or XP.


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by cosmo1 Tuesday, September 27, 2011 10:21 PM
    Tuesday, September 27, 2011 9:50 PM
    Moderator

All replies

  • Cosmo;

    One of the great strengths of AD-based group policy is its tremendous flexibility. However that also means it can be extremely complex, especially in environments with so many different versoins of Windows. I don't know enough about your network and business requirements to tell you categorically "you should do this!" You could write several pages explaining everything about it but frankly I'd  still be uncomfortable telling you "do it this way" because I really don't know your business well enough. For specific assistance you'd need to hire a consultant:)

    I am happy to discuss this challenge in general terms, but understand that I'm being hypothetical. Also remember that other AD experts may disagree with me. What I would do is leave what you have alone, don't delete or modify your existing GPOs, this way you can undo whatever changes your new baselines and GPOs implement. Second, I would create a second domain policy with password and account lockout policies and assign a higher precedence to the new one over the 'default domain policy.' third, I would be careful about pushing settings out broadly, be sure to test. The security option settings tend to cause application compatibility problems becuase they change the way windows handles authentication, authorization, and encryption. The browser settings tend to cause different kinds of problems with browser-based business apps. So test as much as you can. Fourth, Jose and I have been trying to aligh the baselines across all the versions of Windows, you can see that higher degree of alignment for the Windows Server baselines. But we haven't released the updated baselines for the Windows Client operating systems yet,  those will be released as a beta in a month or two and the final version a month or two later. I suggest that you focus your efforts on the server configurations now and wait until we release the beta before tackling Windows 7, Vista, or XP.


    Kurt Dillard http://www.kurtdillard.com
    • Marked as answer by cosmo1 Tuesday, September 27, 2011 10:21 PM
    Tuesday, September 27, 2011 9:50 PM
    Moderator
  • Thanks for all your excellent support, I really apprecaite it  :-)
    Tuesday, September 27, 2011 10:21 PM