Re: Assigning File and Folder Permissions Via Group Policy

Hi,

Thomas M. schrieb:
I've heard that optimizing the performance of group policies is something of
a balancing act.

Absolutly YES!

I'm told that complexity can slow down the processing of group policies, so
A few policies with a lot of settings in each policy may not be the best
approach.

at least another argument aganst this kind of policies: Administration!
I like to work with thematic/speaking policies. If the policiy is called:
"WSUS Setting for a client" I usually know whats inside, even if I don´t
take a closer look into ;-)

I'm also told that the sure number of policies can slow things down,
so a lot of smaller policies each containing only one or two settings also
may not be the best solution.

right aswell.

The implication being that a "medium" (how ever you choose to define
that term) number of policies with a "medium" number of settings in
each policy is the best overall solution in terms of group policy
processing.

Most of my scenarios look like this:
- one "big" policy containing the most compnay settings ALL CLIENTS
and USER will get.
- a lot of thematic policies, try only containing one single client
side extension (e.g.: Registry, Security)
- a few policies like above, but filtered by security settings, e.g.
some people need a different time out in Screensaver ...
This "exceptions" run last

This can lead in 10 to 15 policies per object.

Tuning is only necessary, if people "think" that it´s slow ;-)

In my situation, if we load up all the file system permissions changes into
one policy and then push that policy to every machine, the policy will try
to apply settings that the vast majority of machines will not need, and I
would think that would slow down the processing of group policies.

You can enable GPO Logging and take a look at the times, that are needed
to apply the settings, but my guess: It will not take a longer time.
It´s only on single file (gpttmpl.inf) where the settings are inside.
If the systems reads and appy 30 lines, or if it just read 30 lines,
I think it´s even faster ;-)

So, in general, would it be better to load up all of our file system
permissions changes into one group policy that gets pushed out to everyone,
or would it be better to have 10 separate group policies that each contain
only one or two settings and that get pushed down to only the machines
needing those policies?

I think it is not a question of performance, it´s aswell a question of
administration and how you like to work, and how you think it is easier
to handle.

If you brakedown the GPO into 10 singles, you need to filter them by
security group, WMI or OU structure. That can cause in a lot more work.

I can´t give you an answer tat is "black" or "white" it´s always "grey".

I like to have thinks structured "logically" like I mentioned above.
Or having them understandaable on the first view. On the other hand,
there are performance, other administrative issues, political
criterias (Layer 8 problem ;-) etc.

Think about implenting the most of your settings inside your client
image. That would be the easiest part.
Create a new image, create empty files an folder and apply all settings
in the image, then there is no need to deploy only "Changes" by GPO.
That would reduce the settings ... just another idea ;-)

Like you said: It´s a balancing act of
- default image
- installation
- default user
- GPO
- administration
- personal preferences

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
.

Relevant Pages

  • RE: Remote Assistance not working
    ... I have tried these settings you recommend with no results. ... I have yet to get the offer remote assistance to work when launched from the ... The Group Policy on the computer of the novice user must be configured ... Start the Microsoft Management Console Group Policy snap-in. ...
    (microsoft.public.windows.server.sbs)
  • Re: Parts of GPO not working.
    ... If your users use other browsers like firefox from an usb stick/drive or whatever medium your policy will not help. ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • RE: security policy not specified option
    ... Resultant Set of Policy does not in any way change the processing of Group ... processing different parts of group policy. ... Machine parses local policy and applies any settings contained in the ... parses computer configuration settings in those policies. ...
    (Focus-Microsoft)
  • Parts of GPO not working.
    ... I have a request that all of those computers not have Internet ... The settings in this GPO can only apply to the following groups, ... Group Policy refresh interval for computers Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reset GP back to "out of box" ??
    ... Administrative Template policies (as opposed to ... select Import Policy and choose that setup security.inf file. ... you should remove the settings in the domain ... Group Policy Management solutions at http://www.sdmsoftware.com ...
    (microsoft.public.windows.group_policy)
Quantcast