At what point does GPO become effective (from a useful / usability standpoint)?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

You could always divide the domain computers into 2 OUs, 1 for workstations and one for laptops. Then you could apply the GPO without a problem to the workstation OU but leave the laptop OU free to be able to adjust settings as needed.

 

Nugget has just simply outlined it... GPOs is an effective tool when it comes to security needs of an organisation which helps to regulate objects or services users/groups has access to. So I actually believe that GPOs can always be effective no matter the size of a company both physical and logical if applied correctly, afterall thats why its referred to as GPO.......

 

Yep, try this. Or maybe split the company into Sales Reps, Sales Managers, Marketing etc, this gives you a bit more granular control. Allowing you to have different rules for the Reps, who are remote, than to the Managers who might be local or remote.

 

On a Windows operating system you have a 'Local Security Settings' snap in for the MMC. This allows you to control all the various user and computer security settings on the local computer, the proxy settings for IE being one of them.

A GPO is exactly the same as the Local Security Settings, except you control it centrally (from AD) and apply it to users/computers based on their Group membership and where they sit in AD.

GPO's can save a lot of time in administering multiple pc's and users, and if used correctly can provide granular control to suit your companies business structure and needs.

However, if GPO's are implemented with poor planning and documentation, you can get yourself in quite a mess very easily. It is also very easy to try and over complicate the implementation of GPO's, which can lead to more problems than if no GPO's were used.

 

If you have more than a handful of computers then GPO can be very useful. Yes if you have only 5 computers you could go round and set some settings by hand fairly quickly and you could tell the people concerned about any issues, but GPO are useful because if you set it up properly you know each client is going to have the right settings, you can monitor the settings centrally. So I would say GPO is useful from 2-3 clients upwards and is always useful if you want to lockdown clients.

 

Don't you mean, "tried to get around their proxy server and lost their settings while they were dinking around with it"?

It takes absolutely no time at all to NOT secure the network. But... that's not really a viable option, is it?

At any stage... you just have to implement it properly.

It's such a pain in the butt to deal with laptop users. You don't want those laptop users roaming around the Intarwebs unregulated... why not configure a VPN solution, and continue to require them to go through the proxy?

 

Well sorry to be pedantic Stoney, but that's not right at all.

The local security policy in is a subset of the local group policy. (Computer Configuration\Windows Settings\Security Settings) That maps to what you see when you examine local security policy. You can't set the proxy from local security policy, however you can configure it within the User Confguration area of local group policy.

GPO's in AD are nothing like the local security policy. They are similar to local group policy in appearance, but have far more configurable options than a local group policy. Also despite the name, Group Policy's have nothing to do with groups / group membership.

Arroryn, you could force the proxy setting via local group policy (gpedit.msc) or by applying it in AD, then set up some shorcuts locally for people who require the proxy at different times. The policy setting for the proxy, directly maps to a a couple of different registry keys. There is one key in particular that controls the tick box that enables / disables the proxy within IE.

Once you have the correct keys isolated, it's very easy to manipulate them via a couple of shortcuts on the desktop. ie - Home & Work etc... All then then do is double click the appropriate shortcut depending where they are and the proxy will turn on and off. Let me know if you want the files & shorcuts in question and I will email them to you. Just for reference though, here are the registry keys to toggle the proxy on and off. The first one when run via regedit (save as a text file with the .reg extension) will turn the proxy on, and the second will turn it off.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000

 

Hi Modey.

Thanks for this info. I've been planning on scripting something for work laptops, to switch the proxy between home and work this way, and this will save me alot of time.