Forum Discussion
Beginner Question - Why is there a baseline for every version and type?
Thanks for your answer. Do you have any hints how to do a perfect rollout?
Do it all at once because some settings rely on each other?
I do not have a 100 percent dev/test/prod lab to test all settings for a week or two - so i need clearance that even if it breaks something that after i disabled the GPO and performed a Gpupdate /force and a restart - it is back to "normal" (the way it was before)
best regards
Stephan
MicrosoftStephanGee in many cases you can roll back but there are certain 'tattoo' settings that do not automatically rollback. Also the security template settings do not roll back, they tattoo as well. Within GPMC you will see the icon is different for those settings that tattoo in GP (not security template). Take a look at the settings in the Security Compliance Toolkit area of the GPO and you should see them.
Every deployment is different so it's hard to give blanket advice. We are working on an attempt at an article that describes many different options but due to several factors I dont see it being completed till after the first of the year.
I will offer this, for client machines, I wouldn't expect you to have much of an issue but I would be careful applying the server config to an up and running server, especially if it already has various roles on it as you might run into an issue there where the security template will adjust user rights.
My biggest concern is that i should apply them all at once(?) so that one setting does not collide with another.
e.g. the SMB signing is forced on the one side but "disabled" on the other
- Rick_Munck
StephanGee testing is really however your organization feels comfortable. If you have an existing baseline your company uses then I would start with Policy Analyzer. This will help you identify where the different settings are. From there you need to make a risk based determination on how you role it out. I always recommend starting small and ensuring you dont break anything along the way.
Hi Rick. Yes - the policy analyzer is a great tool.
I have 2-3 critical settings that were set long time ago. But copied the DC to a Devlab and will test a few things out.
I came across settings like "IP Source Routing" also. But these are not available for me in the GPO.
Is it really necessary to execute the localgpo.wsf /ConfigSCE or are there just the admx somewhere that i can copy?