Jump to content

GPO for Laptops


Recommended Posts

Hi,

I'm setting up a Windows 2003 server as a Domain Controller, with mostly company provided laptops as client workstations. The users carry the laptops with them, when they're out of the office. We also have a few workstations. I need some suggestions on how to configure GPOs/ other settings for laptops. Are there any GPO templates available for laptops ? Is it recommended that we have seperate GPO for laptops and workstations ?

Are roaming profiles recommended for laptops ? One and only one person uses the laptop given to him by the company.

Link to comment
Share on other sites


Don't use roaming profiles on the laptops.

I have users who have laptops (primary workstation) but also need to logon various workstations. I configured their accounts to use roaming profiles but on the laptops I enabled "Prevent Roaming Profile changes from propagating to the server" and "Only allow local user profiles" in the local group policy. This way they have a single account/password to logon and get a roaming profile on all the workstations but they have a local profile on the laptop.

There are a lot of issues roaming profiles as everything in the users profile has to be copied from the server to the workstation when the user logs on and then copied back when they log off. This can take some time if the user has a lot of information in their profile and their is always the risk of the users profile getting corrupt. If you decide to go with roaming profiles for the workstations you should redirect the users "My Documents" folder to the server. If you are using outlook and pst files these should also be stored on the server and not in the users profile. You can limit the size of a users roaming profile using "Limit profile size" in the local group policy and prevent specific files from being uploaded back to the server using "Exclude directories in roaming profile" (Exclude the Temp, Temporary Internet Folders). Also teach your users how to put files on the server and create a link on their desktop.

As for group polocies at a minimum I would use one for the desktops and one for the laptops.

Link to comment
Share on other sites

I would like to know if there're any particular GPOs I should configure for laptops ? Are there any preset GPO templates for laptops ? Should I have a different set of GPOs for Laptop and desktop ?

Any help, suggestions would be appreciated.

Thanks....

Link to comment
Share on other sites

Roaming profiles are OK for laptop users, but you need to make sure you keep at least 2 or 3 cached copies of the profiles on those laptops if laptop users are going to have functionality off of the domain. As to specific GPOs, there really aren't any that would be specific to laptops, unless you write custom ADM templates to set something specific for laptop users.

In short, no, there aren't any "laptop-specific" GPO settings you need to be aware of, unless you've generated your own ADM templates. As to the profile issue, I do suggest roaming profiles if users migrate to multiple machines during their workday or workweek, but if users generally have a single workstation, local profiles are generally better-suited. If remote storage of files is required in this case, redirecting shell folders is a decent way to make this happen. I'm not really a big fan of that, though, and it can be a real problem for laptop users unless done just right.

Link to comment
Share on other sites

Personally, I like to setup two GPOs, one for laptops one for desktops.

The laptops once I tend to have stricter settings for the firewall, enable useful things like the Wireless Zero Configuration service, etc... where as with the desktops I disable the firewall, wireless internet, etc.

Link to comment
Share on other sites

Personally, I like to setup two GPOs, one for laptops one for desktops.

The laptops once I tend to have stricter settings for the firewall, enable useful things like the Wireless Zero Configuration service, etc... where as with the desktops I disable the firewall, wireless internet, etc.

Hi Colonel,

Could you elaborate some more on this, please... thanks

Link to comment
Share on other sites

I would like to know if there're any particular GPOs I should configure for laptops ? Are there any preset GPO templates for laptops ? Should I have a different set of GPOs for Laptop and desktop ?

Firstly - if you are deploying/publishing software packages via GPO - you might well want a different policy for laptops. For example - an app which requires always-on connectivity to your server might not be appropriate for laptops. More likely - there's specific apps you want to have installed on laptops, but not on desktops. 3rd party VPN clients, for example.

The other thing you need to bear in mind with laptop policies is that laptops move AD sites, whereas desktops (broadly speaking) don't.

Anything which points to a specific server at a specific site might be worth changing for laptops, so maybe it looks for a DFS share?

If laptops are to be used in other networks that you don't control - proxy settings delivered by GPO might not be appropriate for them.

Although I always tend to have a high level of auditing on any workstation, auditing is especially important on laptops. If one comes to you with a problem, you want to be able to see who's been logging on and with which privs. Some users are sneaky - they get admin on their machines, mess them up a bit, remove themselves from the admins group and claim to the helpdesk that it "just went like that by itself". Hmmm.... sure. It installed Office 2007 Beta 2 all by itself, did it? Let me see.... there's logon events here showing you logging on with various admin privs....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...