Re: GPO Management

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Howdie!

Bad Beagle wrote:
This is just a question for best practices or suggestions from administrators with lots of GPO experience. Is there any pros/cons to creating individual GPOs or to creating single GPOs with a lot of settings? I started creating single GPOs to ease management of them - knowing exactly what each one does. But now that I am getting more and more GPOs I wonder if it is more efficient to have fewere GPOs with more settings or more GPOs with single settings. Any feedback is appreciated.

As I have not read any paper from Microsoft that does state any best practices on this topic, I'll give you information about how I handle Group Policies myself.

I first group users and machines into OUs as far as possible - for example I separate the notebooks from the servers and normal desktops, put workers from outside into different OUs than people within the building and so on. This helps me creating policies for the particular groups of machines and users without messing around with "Block inheritance" or NTFS rights. Try to create logical groups by thinking of the administration of the policies. The basic question is: how can you group your (user and computer) objects in AD in a way that lets you have less administrative effort with GPs?

I then put my policies into logical groups - for example "Office settings" or "Desktop Changes", "Security settings" with for example Windows Update settings, Firewall settings etc. The number of settings in a single GPO can be up to 999 if I remember right. But I try to keep the number as low as possible but as large as needed to keep a clear structure in this. The number of how many settings I have in a policy does vary. You might find the right balance yourself.

I do also use the Microsoft Group Policy Management Console which can create quick HTML reports of policies. By clicking the policy and creating the report you can easily see what settings a policy has activated. That makes GP administration a little easier...

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
.

Relevant Pages

  • Re: At this point, Im wondering if GPOs even work?
    ... what is set in a policy does not bubble up into the user interface. ... Pop-up Blocker" box on one and checked it on the other. ... ensured no GPOs nor local policy were superseding my Test GPO ... Config (so why do these settings even exist in Computer Config if they ...
    (microsoft.public.windows.group_policy)
  • RE: Replaced DCs - GP issues
    ... all workstations are in the correct OUs with correct linked GPOs ... IE advanced settings that are thwarting my happiness. ... accept and apply all GPOs as desired. ... Are there post migration GPO permissions that must be set? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Loopback processing, roaming profiles, folder redirection for domain-member laptops
    ... If you have slow network connections or an overworked Domain Controller, you may see some slowdown at computer startup (or when the GPOs are automatically refreshed) or at user logon. ... Being able to easily manage the settings to be applied to different objects by seperating them into related sets in different GPOs has business value as well. ... The OU contain the computer accounts for our Terminal Servers have 9 GPOs linked or inherited; normal user accounts have 6; workstation computers have 8. ... We avoid specifying profiles in the user accounts because then you have a lot of places to change when circumstances change. ...
    (microsoft.public.windows.group_policy)
  • Re: WIndows Server 2003 SP2 does not respond to ctrl-alt-delete
    ... Following the procedure did change the screen saver settings for the DC. ... the user's Group Policy objects determine which user settings ... the list of GPOs for the computer is gathered. ...
    (microsoft.public.windows.server.active_directory)
  • GPO Management
    ... creating individual GPOs or to creating single GPOs with a lot of settings? ...
    (microsoft.public.windows.group_policy)