Active Directory, Managing Group Policies, etc. . .?

[gberz3]

Hi All,

I'm having a bit of a problem wrapping my head around group policies and such in Active Directory. Currently I have a test setup with a Win 2k3 Standard Server and a Win 2k Pro workstation. I've already added the Win 2k workstation to the "home.local" domain and all is well.

Now, i need to begin administering permissions, etc. Can someone point me to a quality tutorial regarding specific items. Say I only want to allow specific applications to run, etc. I need a tutorial that instructs on that.

As I've basically said, AD is running with full DNS. I simply need to know how to do what comes next; managing it. FYI, this is strictly a learning setup so I'm not averse to trying wildly experimental things.

Regards

[cadetstimp]

Active Directory is very flexable in allowing you to create whatever groups you need..... the trick is in applying specific properties and tools to each group you create.

Don't worry how to create the group - just do it and use long names if you need to describe its function. The trick is paying close attention to where the group is and what properties you attach to it (i.e. a subgroup 'virus' under 'Win2kSP2' could apply virus software to Win2k clients listed in the group that have received/are running SP2)

I would start by thinking of the tasks you want to do and in which order.... think of how you want to group your clients based on the functions you need to apply. Create a group for each function and then put them in the correct oder/heirarchy.

As far as how to apply functions and policies to each group - start by right clicking the group that's been created and play with the policy settings. Drag clients into the new group and then see if the policy setting works on the clients in the group.

i.e. Create a group called 'PasswordComplexityHigh' and then go into the policy settigns of that new group and set a policy that requires a password complexity (8 charaters /alpha numeric / etc.) Once saved - any clients dragged into that group will require a complex password when the client tries to change their password.

(Making sure the name of the group is very descriptive of it's function really helps when you start to get a lot of groups going)

Advanced functions would involve client scripts that could be attached to a group to allow the scripts to run on the clients that are a part of the group.

Scripting is a whole subject by itself, but I would search for an example 'Login scripts' to get started


In any case - think of a function / create the group using a name that describes the funtion well / drag the group to the correct location in AD if not root / alter the group properties to carry out the policy you require / drag the correct clients into the group you wish to affect / check that the clients in the group are receiving the policy (that it works)

For education purposes - you could start by creating a number of groups in the root of your AD with different functions. Then you could drag your one client into one group at a time to see if each function works. Then have fun dragging one group into another as a subgroup to see if the client obtains the functions of both groups. You'll quickly see the advantage of AD when you start to drag one group into another!

[gberz3]

Well, let's pick one item. How would I add a policy that says "They can only use IE". . .or a policy that says "They can use everything EXCEPT IE". . .Can you give me a short walk-through?

[gberz3]

. . .and, is there any chance of having a domain without ".local" appended? it seems that when I don't use ".local" bad things happen.

[cadetstimp]

You'll want to explore and use the Software Restriction Policies

[gberz3]

Understood. Another issue: How do I actually add a "client" machine without first logging into that machine as a "domain user"? Can I not simply "claim" an existing machine as long as it's on the domain?

[gberz3]

. . .also, what would suddenly make data transfer slow? Before the Active Directory and DNS setup was in place, the machines could transfer files and such at a blinding speeds. Now, it seems that they're all connected via a 9600 baud modem or something. It's unbelievable.

[GroundZero3]

You can add a computer account into AD but you will still need to join the computer to the domain

Data transfers such as internet or file sharing?

[gberz3]

Well the computers are currently on a closed network, so there's no internet access. But their file transfer has become unbelievably slow since setting up AD.

[GroundZero3]

Network details?

Are you copying over to mapped drives that you mapped out with AD?

Are you trying to save to the network or just copy data over?

Do you have all the latest updates installed for windows 2003 server?

[gberz3]

Sorry. Yes, Server 2003 Standard R2 with all the latest updates. The server is running on a dual 3GHz Xeon with 2GB ram, and the client currently being worked with is some tiny 2GHz machine running 2K Pro.

Basically the drives were mapped with the OS natively, not through AD so to speak. We're just running data tests right now. It seems for some reason that a SYNC between SQL servers runs fine, but actual drag-and-drop file transfer is amazingly slow. Could this have anything to do with bad DNS setup? Is it even remotely possible that it's doing redundant address resolution checks or something of that nature? I'm really lost at this point.

[gberz3]

Could it potentially have something to do with "LMHOSTS" or "NetBIOS over TCP/IP"?

[GroundZero3]

lmhost and netbios are used for older operating systems (win9x) so if you are running a pure win2k/xp/vista network you can turn it off.

i don't think thats the problem. Did you setup a primary zone, secondary zone, or stub zone in DNS?

What happens when you remove the mapped drives, flush the dns cache on the computer then remap the drives? I assume these machines are logging into the domain?