1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

At what point does GPO become effective (from a useful / usability standpoint)?

Discussion in 'Software' started by Arroryn, Oct 30, 2008.

  1. Arroryn
    Honorary Member

    Arroryn we're all dooooooomed

    I'm not going to pretend to be knowledgeable about GPO, but I was curious as to how various sizes and levels of companies implement this.

    One discussion I had this morning, for example, was locking down the proxy server settings.

    We frequently get calls from users, because they've accidentally knocked off their proxy server, and can't get t'interwebs. Locking this would solve the problem, but then we get laptop users who need the proxy off in certain instances, for example, when trying to authenticate on an ADSL connection in a hotel room.

    As we only have a small support team that has to "wear a lot of hats" working around the restrictions of GPO would be more time consuming than "not" having such things in place.

    At what stage in the logical and physical size of a company does GPO become a completely effective tool?

    I would certainly be interested in the opinions of those who work in SMBs, as whilst I'm sure GPO can do exactly what we need it to, my experience isn't enough to know the best way to go about things.

    (I'm mainly talking about locally applied GPO - which I have browsed through on user machines. Domain GPO is certainly above any beyond anything I know about... but I would still be interested to hear opinions and stories!)
    Certifications: A+, N+, MCDST, 70-410, 70-411
    WIP: Modern Languages BA
  2. nugget
    Honorary Member

    nugget Junior toady

    You could always divide the domain computers into 2 OUs, 1 for workstations and one for laptops. Then you could apply the GPO without a problem to the workstation OU but leave the laptop OU free to be able to adjust settings as needed.
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  3. Obinna Osobalu

    Obinna Osobalu Banned


    Nugget has just simply outlined it... GPOs is an effective tool when it comes to security needs of an organisation which helps to regulate objects or services users/groups has access to. So I actually believe that GPOs can always be effective no matter the size of a company both physical and logical if applied correctly, afterall thats why its referred to as GPO.......
    Certifications: MCITP:SA,MCTS(x5),MCSE2K3;MCSA2K3:M;MCP
    WIP: EDA7,70-652,Project+,MSP(70-632)
  4. Taita

    Taita Nibble Poster

    Yep, try this. Or maybe split the company into Sales Reps, Sales Managers, Marketing etc, this gives you a bit more granular control. Allowing you to have different rules for the Reps, who are remote, than to the Managers who might be local or remote.
    Certifications: A+ N+ MCP
  5. Stoney

    Stoney Megabyte Poster

    On a Windows operating system you have a 'Local Security Settings' snap in for the MMC. This allows you to control all the various user and computer security settings on the local computer, the proxy settings for IE being one of them.

    A GPO is exactly the same as the Local Security Settings, except you control it centrally (from AD) and apply it to users/computers based on their Group membership and where they sit in AD.

    GPO's can save a lot of time in administering multiple pc's and users, and if used correctly can provide granular control to suit your companies business structure and needs.

    However, if GPO's are implemented with poor planning and documentation, you can get yourself in quite a mess very easily. It is also very easy to try and over complicate the implementation of GPO's, which can lead to more problems than if no GPO's were used.
    Certifications: 25 + 50 metre front crawl
    WIP: MCSA - Exam 70-270
  6. somabc

    somabc Bit Poster

    If you have more than a handful of computers then GPO can be very useful. Yes if you have only 5 computers you could go round and set some settings by hand fairly quickly and you could tell the people concerned about any issues, but GPO are useful because if you set it up properly you know each client is going to have the right settings, you can monitor the settings centrally. So I would say GPO is useful from 2-3 clients upwards and is always useful if you want to lockdown clients.
    Certifications: BSc MBCS
  7. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    Don't you mean, "tried to get around their proxy server and lost their settings while they were dinking around with it"? :p

    It takes absolutely no time at all to NOT secure the network. But... that's not really a viable option, is it?

    At any stage... you just have to implement it properly.

    It's such a pain in the butt to deal with laptop users. You don't want those laptop users roaming around the Intarwebs unregulated... why not configure a VPN solution, and continue to require them to go through the proxy?
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  8. Modey

    Modey Terabyte Poster

    Well sorry to be pedantic Stoney, but that's not right at all.

    The local security policy in is a subset of the local group policy. (Computer Configuration\Windows Settings\Security Settings) That maps to what you see when you examine local security policy. You can't set the proxy from local security policy, however you can configure it within the User Confguration area of local group policy.

    GPO's in AD are nothing like the local security policy. They are similar to local group policy in appearance, but have far more configurable options than a local group policy. Also despite the name, Group Policy's have nothing to do with groups / group membership.

    Arroryn, you could force the proxy setting via local group policy (gpedit.msc) or by applying it in AD, then set up some shorcuts locally for people who require the proxy at different times. The policy setting for the proxy, directly maps to a a couple of different registry keys. There is one key in particular that controls the tick box that enables / disables the proxy within IE.

    Once you have the correct keys isolated, it's very easy to manipulate them via a couple of shortcuts on the desktop. ie - Home & Work etc... All then then do is double click the appropriate shortcut depending where they are and the proxy will turn on and off. Let me know if you want the files & shorcuts in question and I will email them to you. Just for reference though, here are the registry keys to toggle the proxy on and off. The first one when run via regedit (save as a text file with the .reg extension) will turn the proxy on, and the second will turn it off.

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  9. MLP

    MLP Kilobyte Poster

    Hi Modey.

    Thanks for this info. I've been planning on scripting something for work laptops, to switch the proxy between home and work this way, and this will save me alot of time.:biggrin
    Certifications: HND Computing
    WIP: 70-680, 70-270, 70-290

Share This Page