Most commonly used Group policy in a corp environment 2

[slashdot]

Hi,
I need to build a new windows centric network for a startup. Can somebody suggest a list of most needed/useful gpo in a corp environment, something like hide control panel, disable usb boot, password aging, disable shutdown..etc. Even small tips will be very useful for me. Thanks.

-sve

 

[aftertaf]

bear in mind all password related domain policy has certain rules:

-it can only be applied to the domain, not to OUs.
-this means it is a domainwide setting.

apply it using the existing default domain policy, and if you need to setup other policies on the whole of the domain , then create a new GPO.

as for a list of needed.... well it depends on what you need!

this you'd beeter discuss with the management

Aftertaf
________
Regain control of your PC, at

http://www.debian.org

 

[markdmac]

be careful about removing control panel. You could be opening your company up to a law suite. Instead you will want ot use the policy to "Only Show The Following Control Panel Applets" and then you will want to show the following.

MAIN.CPL
ACCESS.CPL
MAILCFG32.CPL

Main will give the left handers access to switch mouse buttons to left hand use. Access will give your users access to the accessibility tools (don't know if you are in the US, but ADA could be all over you if you deny this). I've added the mail applet as I have found it is very difficult to troubleshoot email problems without having access to this one.

Other common policies to look at:
Remove access to Run Command
Remove Access to Command Prompt
Block Add/Remove Programs
Block registry Editing Tools
Block launching MMC
Configure IE

You will want to create a NEW policy for anything you do regarding the above. In the default domain policy the only thing you should change there is password related. Above all other things, if you start implementing restrictions, make sure you add Administrator with DENY to the security properties to ensure you don't lock out your admin ID from these functions.


I hope you find this post helpful.

Regards,

Mark

 

[aquias]

I've gotta give Mark a star for this. One of the biggest jobs in IT is to protect the company from itself, that includes law suites.

As someone that has AD implimented I hadn't thought of the angle you presented there Mark. Nicely done.

 

[markdmac]

Thanks Aquias.

I hope you find this post helpful.

Regards,

Mark

 

[technome]

be careful about removing control panel. You could be opening your company up to a law suite"
Can not see how ADA litigation comes into play by removing control panel completely,( not that I would recommend it from a maintenance point of view).

By removing all access to Control Panel...
Your denying all common users from making changes themselves by removing access to the control panel snappin, your not denying an administrator from providing changes to computers thus allowing a disabled person to use machines enabled with special features. The law is not that carried away.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[technome]

Many colleges offer Business Law, 1 and 2, two best courses for protecting your company, other than talking to lawyers often.

........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[slashdot]

Thank you all.

 

[bofhrevenge2]

Here in the U.K it is a requirement that we provide the accessibility features that users require, especially in gov or education where equal opps is heavily supported.

Mark has made a very good point and it would be wise to consider it.


"Sometimes, a cigar is just a cigar." - Sigmund Freud