Hey guys. I am in the process of setting up a small network for my friend's business. He has ~25 workstations and they will all be running 2000 Pro or XP. The ADS is on a windows 2K3 platform.
I am trying to learn Group Policy so that I can push out a policy that won't let the users do things like see their C: drive, change proxy settings, delete files, install apps, etc.
Is there a good book I can pick up to learn this? I have a decent fundamental understanding of ADS architecture, but I have never really messed with GPO. Thanks for your help!
·Theme
- Forums
- Cross Site
- Out Of Topic
- Whats a great book to learn GPO for Windows 2003?
Whats a great book to learn GPO for Windows 2003?Follow
Hmmm... Well. No one else has answered (you might get a quicker response on the tech support forum btw), I'll toss out my admittedly limited info.
I'm assuming ADS is Active Directory Server? Dunno for sure. I'm a unix guy, not a Win admin. The only reason I know anything at all about it is because I worked closely with an NT admin counterpart back when I used to admin network appliance fileservers, so I got to hear about all about how this would change how remote files were accessed from Win boxes.
I've only seen it used within the context of a WinNT style Domain (I assue 2k has something like that). Does the ADS handle that job? If that's the case, then it's a matter of setting up directory "groups" and tying them to local or domain groups as needed. The ADS becomes the intermdiary between the two peer systems and handles the authentication and authorization for file access.
I can't tell you anything about what books will help you. However, I can give you some tips on how to set up groups and permission sets, which you may find useful.
Rule one: Don't ever tie a single user to a single permission. Sure. Maybe you just need 5 guys to have access to a particular share. That's not the point. Maybe tomorrow you'll need 8 guys, or the day after that, 2 take on different jobs and need different permissions. You'll be micromanaging things till the cows come home if you do that.
Create permission set groups first (don't ask me for particular terms with Windows since I don't know them). The idea if that if you have a particular share or group of shares (or directories, or whatever they call them), that have something in common (they all have the same kind of data, or are used for the same thing), put them in a group.
Make that group (or set of groups) have the various access levels you want people to have on that data.
Then create groups that are functional. Put people in those groups based on the work they need to do. Don't actively make a one to one correlation to the data groups. The general rule is that "data" groups should be, well. Groups of different types of data. Functional groups should be groups of people, and can be as simple as "Joe, and the people working for him". Functional groups can be aligned with projects being worked on. I've seen groups created to mirror an email list (everone on that list is working on something in common).
Put people in the functional groups. Put functional groups that need access to particular sets of data into the data groups. Then set permissions on the directories to give the data groups access.
Try to stick to that methodology. The idea is that if the people working on "project A" are all in one functional group, then you can put "project A", into the data group "Design data", for example. This allows you to administer a group of people and groups of data. If you later decide that proect A needs acces to the "Test" area, you can simply add the "project A " group into the "Test" group, and you're done.
You gain the additional advnatage that if you want to make "global" changes, you can apply it just to the data group, and it automatically affects all the functional groups within that group, and all the people within those functional groups. Hierarchy and structure is the key here.
Since muliple users and groups can be inside other groups, this allows you the most flexibility. Don't be afraid to create new groups to cover a need. If you have design data that one of the project teams needs, and some test data that another group needs, and a third set (maybe a mix?) that both need access too, you can easily create a thrid data group, and drop both the functional groups into it.
And that's a hell of a lot easier then managing every user and his access separately.
I know you're just talking about setting this up, but how you set this kind of system up will determine how it grows over time. Building it wrong from the beginning will lock a future admin into continuing with an unwieldy system.
Probably not exactly what you were looking for, but I hope that helps you a little bit at least. Definately find some books on the subject though. You're going to need to learn *how* to set up all that stuff before you can implement a good structure.
I'm assuming ADS is Active Directory Server? Dunno for sure. I'm a unix guy, not a Win admin. The only reason I know anything at all about it is because I worked closely with an NT admin counterpart back when I used to admin network appliance fileservers, so I got to hear about all about how this would change how remote files were accessed from Win boxes.
I've only seen it used within the context of a WinNT style Domain (I assue 2k has something like that). Does the ADS handle that job? If that's the case, then it's a matter of setting up directory "groups" and tying them to local or domain groups as needed. The ADS becomes the intermdiary between the two peer systems and handles the authentication and authorization for file access.
I can't tell you anything about what books will help you. However, I can give you some tips on how to set up groups and permission sets, which you may find useful.
Rule one: Don't ever tie a single user to a single permission. Sure. Maybe you just need 5 guys to have access to a particular share. That's not the point. Maybe tomorrow you'll need 8 guys, or the day after that, 2 take on different jobs and need different permissions. You'll be micromanaging things till the cows come home if you do that.
Create permission set groups first (don't ask me for particular terms with Windows since I don't know them). The idea if that if you have a particular share or group of shares (or directories, or whatever they call them), that have something in common (they all have the same kind of data, or are used for the same thing), put them in a group.
Make that group (or set of groups) have the various access levels you want people to have on that data.
Then create groups that are functional. Put people in those groups based on the work they need to do. Don't actively make a one to one correlation to the data groups. The general rule is that "data" groups should be, well. Groups of different types of data. Functional groups should be groups of people, and can be as simple as "Joe, and the people working for him". Functional groups can be aligned with projects being worked on. I've seen groups created to mirror an email list (everone on that list is working on something in common).
Put people in the functional groups. Put functional groups that need access to particular sets of data into the data groups. Then set permissions on the directories to give the data groups access.
Try to stick to that methodology. The idea is that if the people working on "project A" are all in one functional group, then you can put "project A", into the data group "Design data", for example. This allows you to administer a group of people and groups of data. If you later decide that proect A needs acces to the "Test" area, you can simply add the "project A " group into the "Test" group, and you're done.
You gain the additional advnatage that if you want to make "global" changes, you can apply it just to the data group, and it automatically affects all the functional groups within that group, and all the people within those functional groups. Hierarchy and structure is the key here.
Since muliple users and groups can be inside other groups, this allows you the most flexibility. Don't be afraid to create new groups to cover a need. If you have design data that one of the project teams needs, and some test data that another group needs, and a third set (maybe a mix?) that both need access too, you can easily create a thrid data group, and drop both the functional groups into it.
And that's a hell of a lot easier then managing every user and his access separately.
I know you're just talking about setting this up, but how you set this kind of system up will determine how it grows over time. Building it wrong from the beginning will lock a future admin into continuing with an unwieldy system.
Probably not exactly what you were looking for, but I hope that helps you a little bit at least. Definately find some books on the subject though. You're going to need to learn *how* to set up all that stuff before you can implement a good structure.
King Nobby wrote:
More words please
Recent Visitors: 278
All times are in CST
Anonymous Guests (278)
- Forums
- Cross Site
- Out Of Topic
- Whats a great book to learn GPO for Windows 2003?
© 2024 Fanbyte LLC