I Practice Safe Group Policy

Jul
7
2010

Sometimes I get asked if there is anything that we can do to be “safer” around Group Policy usage.

The answer is a resounding “Yes.” Here are some quick tips for you to put into practice NOW, if you’re not already on the right track:

Tip 1: Create, link, then disable a GPO

Sounds counter-intuitive, but this tip can be a quick fix to a big problem. I don’t usually like “big fat GPOs with lots of stuff in them.” That’s not my preferred method of GPO creation. But there are clearcut times when you NEED multiple policy settings or multiple preference settings WITHIN a GPO .. and that’s a-ok.

The problem is, you won’t be able to “implement all the settings at once.” So, in essence you’ll have “half-created” GPOs replicating around with your clients getting those partially completed GPOs.

The tip is: Disable the GPO, add what you need to add, then ENABLE it. (You can choose your method: on the LINK, or on the GPO itself.)

So, if you’re working on setting up a GPO which dictates Firewall Rules, you want to ensure that they get ALL the firewall rules one time, instead of possibly downloading the GPO (incomplete) then re-downloading it later.

Tip 2: Think, then name.

 

This tip is easy to understand. Don’t name your GPOs “Our wonderful desktop settings” or “Everyone’s security settings” because that’s not descriptive enough. Surely there’s something SPECIFIC these GPOs could be named, like “Sales: Desktop Background” or “Marketing: Firewall Settings.” Clarity, clarity, clarity. You likely don’t work alone, so it’s important to be clear and deliberate in how you name your GPOs.

Tip 3: Use GP Comments

You can implement comments about the GPO itself and the settings within the GPOs. So don’t miss out by leaving “breadcrumbs” behind for “the next person” who edits those GPOs. Explain WHY you did something inside the GP comments. Your “future friend” will thank you !

I know you’re looking for more best practices, base-hits and big-wins you can use TODAY to make your world safer and more predictable.

I have exactly 4 spots left for my upcoming 5-day Group Policy Master Class (near Dulles Airport, airport code: IAD.)

I know the takeaways you get from the class will be mega-valuable and I guarantee this will help you with your upcoming Windows 7 rollout, create a smoother transition from XP and relieve the pain around desktop and security management. The best part is you’ll get the hands-on training you need for your real-world problems of today and tomorrow.

Knowing that budgets are tight, I’ve set up class at a hotel with a free airport shuttle (so no rental car needed) and a killer nightly hotel rate.

If you’re thinking about making it.. now is the time. Before the end of this week if you want a guaranteed seat.

Dates: July 19th (Monday) – July 22nd (Friday).

Ensure your seat by:

1. http://www.gpanswers.com/training/live-courses.html
(I know the website says “The class is full” but I can take 4 more people !)

2. Calling 302-351-4903 and Diane will help you if you need an invoice for a PO. We need the PO in hand to guarantee your seat.

Also… !

“Manager’s Special” PolicyPak Webinar – Today at 2.30 PM EST.

Bring your IT Manager to my “PolicyPak: Save Time, Money, and Effort (and increase security and santity)” talk today. He / She only needs to stay for 15 minutes of the full 60 minute talk. So agenda is:

() “Manager-speak” (how the company will save Time, Money, and Effort) for 15-minutes
() “Geek speak” for 45-minutes with me and learn how to use my free PolicyPak software to make your life easier.

You BOTH need to sign up at http://www.policypak.com/demo

I’ll draw a free book for one lucky geek who brings his/her IT manager along!
Or… One lucky IT pro who brings his/her geek along!

That’s it. See you in the July 19th class or today online !

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)