Hello Andrew,
Thanks for your post and Cliff's input.
In addition, regarding how to configure Windows SBS Group Policy Objects, below I quote from "Configuring Windows Small Business Server 2008 -Training Kit" book, just
for your reference:
"Straight out of the box, Windows Small Business Server is configured with a set of preconfigured Group Policy objects (GPOs), defined especially for the server running
Windows SBS 2008 and its network clients. When you join a client computer to the Windows SBS 2008 domain, Group Policy settings are applied to the computer and user
account used to log on to the domain.
Working with Group Policy can be challenging at times, but understanding the preconfigured settings of Group Policy in Windows SBS 2008 can take the guesswork out of
system administration. Before joining any clients to the new domain, you should review (and modify, if needed) all group policies to avoid any inconsistencies and ensure
that all standards are met. Following is a list of all default GPOs that are preconfigured in Windows SBS 2008:
o Default Domain Controllers Policy This policy is not specific to Windows Small Business Server, but is a typical Group Policy found on all servers that are Active
Directory domain controllers. Settings in this policy apply to domain controllers only and govern security such as access to the domain controller and other local policies.
This policy is linked to the Domain Controllers organizational unit (OU) and applies to the Authenticated Users group.
o Default Domain Policy This policy is not specific to Windows Small Business Server, but is a typical Group Policy found on all servers that are Active Directory domain
controllers. The Default Domain Policy contains enabled computer configuration settings for password policy, network access, network security options, Encrypting File
System file recovery, and trusted root certification authorities. This policy is linked to the domain and applies to the Authenticated Users group.
o Small Business Server Folder Redirection Policy This is a preconfigured Windows Small Business Server policy that governs folder redirection options and settings.
This policy is linked to the SBS Users OU and applies to the Windows SBS Folder Redirection Accounts group. See the section titled "Configure Folder Redirection"
earlier in this chapter for more details about working with this Group Policy.
o Update Services Client Computers Policy This is a preconfigured Windows Small Business Server policy that governs Windows Server Update Services and the
configuration for automatic updates. It is applied to client computers. This policy is linked to the domain and applies to all domain-joined client computers. See Chapter 4,
"Maintaining Systems and Services Availability," for more information.
o Update Services Common Settings Policy This is a preconfigured Windows Small Business Server policy that governs Windows Server Update Services common
settings such as the intranet update server, restart and wait periods, and notifications. This policy is linked to the domain and applies to the Authenticated Users group.
o Update Services Server Computers Policy This is a preconfigured Windows Small Business Server policy that governs Windows Server Update Services and the
configuration for automatic updates. This policy is linked to the domain and applies to all servers including member servers. See Chapter 4 for more information.
o Windows SBS Client - Windows Vista Policy This is a preconfigured Windows Small Business Server policy that governs Windows Firewall With Advanced Security
inbound and outbound rule settings specific to client computers that run Windows Vista. This policy is linked to the SBS Computers OU and applies to the Authenticated
Users group. The Windows SBS Client - Windows Vista WMI filter is linked to this policy and filters client computers based on operating system version number.
o Windows SBS Client - Windows XP Policy This is a preconfigured Windows Small Business Server policy that governs firewall settings specific to client computers
running Windows XP such as allowing inbound file and printer sharing and remote administration exceptions. This policy is linked to the SBS Computers OU and applies
to the Authenticated Users group. The Windows SBS Client - Windows XP WMI filter is linked to this policy and filters client computers based on operating system version
number.
o Windows SBS Client Policy This is a preconfigured Windows Small Business Server policy that governs firewall settings that apply to all domain-joined client computers,
such as Remote Assistance, Security Center, Terminal Services connections, and client-side extension settings. This policy is linked to the SBS Computers OU and applies
to the Authenticated Users group.
o Windows SBS CSE Policy This is a preconfigured Windows Small Business Server policy that is applied to authenticated users who run Startup Scripts and install client
agents on domain-joined client computers. This policy is linked to the Windows SBS Client WMI filter, which queries for Windows 2000, Windows XP, and Windows 2003.
Windows SBS User Policy This is a preconfigured Windows Small Business Server Policy configuring URLs, Favorites and Internet Explorer components, and Client Side
Extensions. This policy is linked to the domain and to the Windows SBS Client WMI filter which queries for Windows 2000, XP and 2003 clients.
To review the detailed settings of each individual Group Policy in the preceding list, click Start, point to Administrative Tools, and click Group Policy Management. Under the
Group Policy Management node, expand Forest: <DomainName>.local, expand Domains, expand <DomainName>.local, expand Group Policy Objects, and click the policy
that you want to review. Click the Settings tab in the right pane to generate a report that displays the computer and user configuration settings. Click the Scope tab to display
whether the GPO is linked to a site, domain, or OU, as well as the security filtering that indicates to which groups, user accounts, or computers the GPO is applied. In this tab,
you can also see which WMI filter the GPO is linked to, if a WMI filter is used.
Best Practice Modifying a Group Policy
Instead of modifying an existing policy ---- even if you change only a few settings ---- it is better to create a new policy with a descriptive name. This can help you stay
organized and help manage policies in case you need to troubleshoot them. If you decide to edit an existing policy, it is a good measure to back up the policy prior to
making changes. Group Policy Processing and Precedence If you explore each Group Policy object and observe the Scope tab, you will notice that some policies are
linked to the domain whereas others are linked to specific organizational units. To ensure that policies are always applied to the client computer in the correct sequence
Group Policy settings are processed in a specific order. This is the processing order:
1. Local Group Policy Local policies apply first and have weaker precedence than all GPOs linked in Active Directory.
2. Site Policies linked to the site are processed next. If these settings conflict with the Local Group Policy, the policies linked to the site override Local Group Policy.
3. Domain Policies linked to the domain are processed next. If these settings conflict with policies linked to the site, policies linked to the domain override policies linked
to the site.
4. Organizational Unit Policies linked to the OU are processed next. If these settings conflict with the policies linked to the domain, policies linked to the OU override
policies linked to the domain.
Although policies are processed in this order, this doesn't mean that the GPOs applied to a user account or computer account all have the same precedence. Settings that
are applied later can override settings that were applied earlier. This processing order-Local Group Policy processed first, and policies linked to the OU processed last-
means that the last policies applied overwrite settings applied from earlier policies if there are any conflicts. If there are no conflicts, the settings just aggregate."
For more information, check the below "Configuring Windows Small Business Server 2008 -Training Kit" book:
WindowsSBS2008_6-2678-2_prePress.pdf
https://partner.microsoft.com/download/global/40109628
Hope this helps.
Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support
================================================== ================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/...i/default.aspx
Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/...i/default.aspx
If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/arch...ewsgroups.aspx
================================================== ================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ================
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ================
Similar Threads
Linear Mode
