Problem solve Get help with specific problems with your technologies, process and projects.

Which Win2k Server group policy template is best for a small business?

On Windows 2000 Server there are different group policy templates. Which is a good one for a small business of about 10-15 users (for the workstations and server)?
The appropriate security template has far less to do with the size of your organization than it does with the applications you're running (whether they're Windows 2000 certified or not) and what your overall security policies are. Below you'll find information about the different levels of security in the templates, taken from Predefined security templates. Whatever template you choose to implement, make sure that you test it thoroughly before implementing it in a production environment.

Windows 2000 security templates were designed to cover five common requirements for security:

  • Basic (basic*.inf). The basic configuration applies the Windows 2000 default security settings to all security areas except those pertaining to user rights. This is most useful in overwriting the higher security levels present in the other templates.
  • Compatible (compat*.inf). The default Windows 2000 security configuration gives members of the local Users group strict security settings, while members of the local Power Users group have security settings that are compatible with Windows NT 4.0 user assignments. This default configuration enables certified Windows 2000 applications to run in the standard Windows environment for Users, while still allowing applications that are not certified for Windows 2000 to run successfully under the less secure Power Users configuration.
  • Secure (secure*.inf). The secure templates implement recommended security settings for all security areas except files, folders and registry keys. These are not modified because file system and registry permissions are configured securely by default.
  • Highly secure (hisec*.inf). The highly secure templates define security settings for Windows 2000 network communications. The security areas are set to require maximum protection for network traffic and protocols used between computer running Windows 2000. As a result, such computers configured with a highly secure template can only communicate with other Windows 2000 computers. They will not be able to communicate with computers running Windows 95/98 or Windows NT.
  • Dedicated domain controller (dedica*.inf). Local user security on domain controllers running Windows 2000 is not ideally secure by default. This enables an administrator to run existing server-based applications on domain controllers (not recommended) in a backwards-compatible fashion. If you do not run server based-applications on domain controllers (recommended), the default file system and registry permissions for the local users group can be defined in the same ideal fashion as that defined by default for Windows 2000 workstations and standalone servers. By implementing a dedicated security template these ideal security settings for local users on Windows 2000 domain controllers are applied.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.