| Author | Messages | |
mdzikowski
Posts:71
 | | 04/07/2010 10:00 PM |
| How do you folk out there handle the following situation
1. You want to lock down your laptops (users are not administrators on the box)
2. When they go home they want to install software, or need to setup their ISP software, etc.
3. They can't get new group policies other than using VPN, etc.
Is there a way to have group policies location/network aware? I have never seen it done...but maybe there is a way 
Regards,
Mike D-
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
| | | |
| JamieNelson
Posts:166
| | 04/07/2010 10:38 PM |
| 1. Use restricted groups policy to lock down the local
administrative group membership
2. If you remove administrator access, they won't be able to
install most applications, and you shouldn't allow them to do so
regardless of if they are at home or not. That is just asking for
trouble. You'll end up with P2P apps and lord knows what else getting
installed. Would you really want to allow that and then have those
laptops back on your corporate network? If you are even the slightest
bit concerned about security, I would you answer with a resounding "no".
3. There was quite a bit of discussion amongst the group about
this awhile back. Short answer is, if you can't contact a domain
controller, you can't consistently apply Group Policy. Since you
normally don't initiate a VPN connection until right before/after you
logon, certain Group Policy CSEs that only process during startup will
never get applied. Windows 7 Direct Access fixes a lot of these issues
though.
As far as making GPOs "location aware" there are a couple of options.
You can obviously apply your Group Policy Objects to Active Directory
Sites or there are some targeting options in GPP you could use to sort
of do this. I've never done it myself with GPP but it could work for you
depending on what you're trying to do.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Wednesday, April 07, 2010 3:05 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Laptop users - Discussion
How do you folk out there handle the following situation
1. You want to lock down your laptops (users are not
administrators on the box)
2. When they go home they want to install software, or need to
setup their ISP software, etc.
3. They can't get new group policies other than using VPN, etc.
Is there a way to have group policies location/network aware? I have
never seen it done...but maybe there is a way
Regards,
Mike D-
========================================================================
======
CONFIDENTIALITY NOTICE: This email contains information from the sender
that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise
protected
from disclosure. This email is intended for use only by the person or
entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in
reliance
on the contents of this email, is strictly prohibited. If you received
this
email in error, please contact the sending party by reply email, delete
the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before
using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My
Health
at www.henryford.com for more detailed information. If you do not
believe that
our policy gives you the privacy and security protection you need, do
not send
e-mail or Internet communications to us.
========================================================================
======
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| jeromelcruz
Posts:120
| | 04/07/2010 10:38 PM |
| Michael,
In fact, GPOs are 'totally' location/network aware, and that 'feature' is your problem. All settings that were in place from the last 'contact' from the domain remain totally intact (albeit unless the local user is an Admin and has the ability / 'know how' to make changes).
Items (1) and (2), with several exceptions, are essentially opposing goals. AN exception is that certain Group Policy settings will grant the end users the right to install certain printer drivers (note full blown printer installation such as we typically see with certain manufacturers).
That said, there 'are' certain things you can do. Most of them involve things 'you' can do (reasonably low tech) to manage your computers. For example, if you set up a local Administrator password control system, then End Users can 'call into' your Help Desk and be allowed to use the local Administrator account for a short period of time (afterwards, your Admin password system can reset the password for that device remotely). By setting up such a system, not only do you maintain 'some semblance' of access control to 'Company' (not personal) resources, but you also gain an audit trail, as well as being able to provide some extended support. For example, a user calls in wanting to install XXX software. Your Help Desk can quickly look and find out that installing that software will break their system and then can provide a documented alternative. Another reasonably low-tech solution would be to provide your Help Desk direct, remote logon access and have them perform the work themselves using documented procedures.
Take a look at this awesome article from our good friend Jakob H. Heidelberg on this very topic:
http://www.windowsecurity.com/articles/How-Force-Remote-Group-Policy-Processing.html
BTW: Jacob wrote and made available, what I would call the 'definitive' GPP deployment script (great for those without a centralized software deployment system).
After exhausting 'low-tech' resources, there 'are' third-party vendor solutions that provide 'remote group policy' solutions.
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dzikowski, Michael
Sent: Wednesday, April 07, 2010 1:05 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Laptop users - Discussion
How do you folk out there handle the following situation
1. You want to lock down your laptops (users are not administrators on the box)
2. When they go home they want to install software, or need to setup their ISP software, etc.
3. They can't get new group policies other than using VPN, etc.
Is there a way to have group policies location/network aware? I have never seen it done...but maybe there is a way
Regards,
Mike D-
==============================================================================
CONFIDENTIALITY NOTICE: This email contains information from the sender that
may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
from disclosure. This email is intended for use only by the person or entity
to whom it is addressed. If you are not the intended recipient, any use,
disclosure, copying, distribution, printing, or any action taken in reliance
on the contents of this email, is strictly prohibited. If you received this
email in error, please contact the sending party by reply email, delete the
email from your computer system and shred any paper copies.
Note to Patients: There are a number of risks you should consider before using
e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
at www.henryford.com for more detailed information. If you do not believe that
our policy gives you the privacy and security protection you need, do not send
e-mail or Internet communications to us.
==============================================================================
| | | |
| mike.elliottuk
Posts:38
| | 04/07/2010 10:41 PM |
| this is a subject I've spent alot of time on. Which ever way to approach
this is boils down to the same conclusion, you either allow users to do
tasks or you dont. The OS capabilities will determine the things that can
be allowed in a granular fashion in isolation to other configuration items
but I see little point in restricting a task in one location but not
another.
In our organisation we are approaching this in a different way, we are
choosing what we really need to manage and what we should or can leave to
the users. We properly assess the real level of risk for each area and then
decide accordingly but with an emphasis on enabling the user to work
productively and to provide them with flexibility and choice wherever
possible.
You may decide at some point that you have two seperate needs, a machine
that is open and allows software installation and user configuration and
also a machine that needs secure and stable installation images. Thats when
solutions like virtual machines, virtual applications and the likes of
Citrix can help.
Mike
On 7 April 2010 21:04, Dzikowski, Michael <xxxxxxxxxxxxxxxx> wrote:
> How do you folk out there handle the following situation
>
>
>
> 1. You want to lock down your laptops (users are not administrators
> on the box)
>
> 2. When they go home they want to install software, or need to setup
> their ISP software, etc.
>
> 3. They can’t get new group policies other than using VPN, etc.
>
>
>
> Is there a way to have group policies location/network aware? I have never
> seen it done…but maybe there is a way
>
>
>
> Regards,
>
>
>
> Mike D-
>
>
>
>
>
> ==============================================================================
> CONFIDENTIALITY NOTICE: This email contains information from the sender that
> may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected
> from disclosure. This email is intended for use only by the person or entity
> to whom it is addressed. If you are not the intended recipient, any use,
> disclosure, copying, distribution, printing, or any action taken in reliance
> on the contents of this email, is strictly prohibited. If you received this
> email in error, please contact the sending party by reply email, delete the
> email from your computer system and shred any paper copies.
>
> Note to Patients: There are a number of risks you should consider before using
> e-mail to communicate with us. See our Privacy Policy and Henry Ford My Health
> at www.henryford.com for more detailed information. If you do not believe that
> our policy gives you the privacy and security protection you need, do not send
> e-mail or Internet communications to us.
> ==============================================================================
>
>
| | | |
|
|