Best GPO Settings

Discussion in 'OT Technology' started by mc_88, Sep 17, 2009.

  1. mc_88

    mc_88 New Member

    Joined:
    Aug 17, 2009
    Messages:
    18
    Likes Received:
    0
    Looking at the GPO security settings for a business of around 100 employees, and I need to find all the settings in the GPO that will provide the most security/lockdown for the end user's desktop. I've got the basics like setting the screen saver to come on and lock the computer, and changing the password every 60 days. What else should I be doing?
     
  2. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    There is no such thing as "best GPO settings". It really depends on what problems you actually have.

    Thus far my company has implemented almost no GPO settings, outside of domain security like password length and expiration dates, because it causes users quite a bit of stress when they can't make their machine work the way they want it to. Network security aside, we've taken the approach of waiting until it becomes obvious something is a problem and then addressing it, preferably through communication rather than restriction, because that way the employees don't build up a grudge against the IT department.
     
  3. mc_88

    mc_88 New Member

    Joined:
    Aug 17, 2009
    Messages:
    18
    Likes Received:
    0
    Do you have all the users running with local Admin accounts?
     
  4. cmsurfer

    cmsurfer ºllllllº

    Joined:
    Jun 6, 2003
    Messages:
    5,079
    Likes Received:
    0
    Location:
    NJ
    I agree with the above... Setup what you think is reasonable, and go from there. You can always make changes.

    I'm the admin of about 45 or so PC's and servers.

    Yes, just about everyone is an admin on the local machine. It's probably not the best idea, but I'd rather not be called everytime they need to perform a specific task that a power user wont allow them to do.

    Plus I get annoyed having to log on as the admin to make system changes that I can't make on the user account ;)
     
  5. Chris

    Chris New Member

    Joined:
    Oct 27, 2003
    Messages:
    14,711
    Likes Received:
    0
    Location:
    Texas on my mind
    Im actually having that debate right now, of whether to convert an office of about 50 that have had local admin rights to their machines into regular users. My main reasoning was because of the safety you get when browsing the web, from drive by downloads and such.
     
  6. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    The way my machines are set up, everyone is a domain user, and depending on the intended use of certain groups of machines, different domain user groups will be granted local admin privileges on those machines. For example, the GIS workstations allow GIS users to be local admins, and the HR machines allow HR users to be local admins, and the servers only allow Domain Administrators to be local admins, except for one server which hosts multiple end-users, which is configured the same as the GIS workstations are. In other words, only those people who actually understand the software on each machine are allowed to make substantial changes. It works very well.
     
  7. Mr. Kitty Litter

    Mr. Kitty Litter OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    29,785
    Likes Received:
    25
    Location:
    Here and there
    My setup is similar to this.
     
    Last edited: Sep 18, 2009
  8. Mr. Kitty Litter

    Mr. Kitty Litter OT Supporter

    Joined:
    Jun 3, 2004
    Messages:
    29,785
    Likes Received:
    25
    Location:
    Here and there
    Does your organization have mostly tech-savvy users, or is your staff the type to blow your phone up with "my screen saver comes on every 5 minutes...is there anyway I can stop that?"

    :mamoru:
     
  9. Chris

    Chris New Member

    Joined:
    Oct 27, 2003
    Messages:
    14,711
    Likes Received:
    0
    Location:
    Texas on my mind
    I definitely have more of the latter, thats why Im leaning towards standard users for everybody for safety's sake and telling them to get over it.
     
  10. mc_88

    mc_88 New Member

    Joined:
    Aug 17, 2009
    Messages:
    18
    Likes Received:
    0
    Well its a split. The engineers are pretty good about everything, then there's sales and ppl on the floor that aren't always so. lol
     
  11. mc_88

    mc_88 New Member

    Joined:
    Aug 17, 2009
    Messages:
    18
    Likes Received:
    0
    When we build a computer for a user, we add that user as a local admin only to that computer
     
  12. DigiCrime

    DigiCrime If Only!

    Joined:
    Oct 25, 2001
    Messages:
    32,996
    Likes Received:
    100
    Location:
    St. Louis
    This is the best approach in my opinion. Well done! :bowdown:
     
  13. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    To be fair, most people can figure that out if you let them have access to those settings, and if you take the opportunity to explain to them how to do it, the next time someone bitches about the same problem, you've got at least a chance the person you educated will say "oh yeah, just click here and here" and your workload will be reduced.
     
  14. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I do that on laptops. On desktops, which can conceivably be used by other people sometimes, I make it a whole group that has local admin rights.

    The biggest thing I do is I don't let them install programs on their own; if they need something, they ask me and I find a program that performs the necessary function without being a spyware-laden piece of shit, then I install it on everyone's machines.
     
  15. Chris

    Chris New Member

    Joined:
    Oct 27, 2003
    Messages:
    14,711
    Likes Received:
    0
    Location:
    Texas on my mind
    so even itunes?
     

Share This Page