# Solved: Group Policy on Server 2003 DC check appreciated



## 5ndr5 (May 25, 2010)

Hi Guys,

I've just started at a school and I was wondering if someone could have a look at our default domain policy, I've inherited a mess tbh so any obvious issues please let me know.

Thanks


----------



## 5ndr5 (May 25, 2010)

Anyone ?

Would really appreciate some input ??

Thanks


----------



## digitalsatori (Apr 28, 2010)

Hey there; didn't have much time to parse through everything but it seems to look okay. I will preface this by saying these are only my suggestions; I don't know your environment or situation. There may have been a good reason for the settings being listed as they are.

First, I would recommend exporting these settings outside of your Default Domain Policy and in to a separate GPO at the top of your OU. While this may not place much relevance on your network, placing too many policies in the Default Domain Policy is *always *applied, which can cause some major headaches if something is misconfigured or the policy fails.

I would also suggest creating another OU to "reverse" the policy. Don't allow the OU to block inheritance and adjust to policy to enable features that are disabled normally. This way, if you have a machine that you need access to and something in the policy prevents it, you can move the computer/user account to this OU and "unlock" them to allow access.

For the specifics of your policy:



> Event Log:
> Retain application log 7 days
> Retain security log 7 days
> Retain system log 7 days


You may want to change this to "Overwrite as needed"; just in case you need to look at errors and events past the last 7 days.



> Restricted Groups:
> Teaching BUILTIN\Administrators


You should add an adminstrative account to your "Restricted Groups" BUILTIN\Administrators; otherwise you will need to be in the Teachers group to gain administrative access to the client machines.



> Network/Network Connections/Windows Firewall/Domain Profile
> Windows Firewall: Allow file and printer sharing exception - Enabled
> Allow unsolicited incoming messages from: "*"


Do you have an external firewall on your network? If not, you may want to reconsider your Windows Firewall settings - from what I can tell, the exceptions on your Windows Firewall are wide open.



> System/Logon:
> Always wait for the network at computer startup and logon - Enabled


I would disable this; your computers won't start up at all if they can't contact your DC. That may be an issue if you change your DC or in the event of an emergency or disaster where the PC cannot talk to the DC.



> System/Ctrl_Alt_Del Option
> Remove Change Password - Enabled


You don't want your users to change their own passwords from the Ctrl+Alt+Del Menu?



> Windows Compnents/Internet Explorer/Internet Control panel/Advanced
> Empty Temporary Internet Files folder when browser is closed - Enabled


Do you have an alternate method of keeping a history log? I'm not sure of the laws in your state, but many public schools are legally obligated to keep logs in case someone is looking at porn or illegal activity on the school network.


----------



## 5ndr5 (May 25, 2010)

digitalsatori, thanks for the reply, just to let you know:

Event Log - fair point, will have a look at this

Restricted Groups - thats the point, all teaching are in the "teaching" group, and they NEED local admins (unfort), I use a domain admin account so i'm ok.

Network/Network Connections - we DO have an external firewall (managed by the county council), if I turn the Windows Firewall on, all hell breaks loose !! Iknow its not ideal but I need to narrow down the exceptions I need first before I turn this on !!

System/Logon - this is done because if there IS a network issue in part of the school, we need to know BEFORE the pupils / teachers log on otherwise they will log on fine thinking all ok, then go to save to their network drive or print and get a problem, it then becomes "URGENT" !!

System/Ctrl_Alt_Del Option - we lock the pc's down quite a bit, including no ctrl+alt+del at all ! So this is irrelevant tbh.

Windows Compnents/Internet Explorer - the county council log ALL internet traffic through their proxy, so we don't have to worry.

Thanks for your comments.


----------



## digitalsatori (Apr 28, 2010)

Hi there,

If you have an external firewall, why not just disable the Windows Firewall all together? The way you have your GPOs set up, the Windows Firewall is running (and utilizing CPU/Memory) but is wide open and allowing all traffic to pass. You can disable the Windows Firewall and save yourself the CPU cycles and memory.


----------



## 5ndr5 (May 25, 2010)

digitalsatori said:


> Hi there,
> 
> If you have an external firewall, why not just disable the Windows Firewall all together? The way you have your GPOs set up, the Windows Firewall is running (and utilizing CPU/Memory) but is wide open and allowing all traffic to pass. You can disable the Windows Firewall and save yourself the CPU cycles and memory.


Thats a fair point, will make this change and see if it helps, thanks.


----------

