Re: Assigning File and Folder Permissions Via Group Policy
- From: "Thomas M." <NoEmailReplies@xxxxxxxxxx>
- Date: Fri, 28 Dec 2007 12:41:49 -0700
Mark,
Again, thanks for the feedback. I'm like you in that I like to set things
up and name them in a way that can be easily understood at a glance.
Putting all of our NTFS tweaks in one GPO is attractive to me because we
already have a "user rights" GPO that used the Restricted Groups policy to
push down the local Administrators group. Adding the NTFS changes to that
GPO would keep all of our desktop rights management stuff in one GPO. My
only concern is that over time that GPO might grow to be pretty big and
complex, so we might end up breaking out the settings into smaller GPOs in
the long run anyway. Another concern is that in the future as legacy
software is retired we may not remember to remove the associated NTFS
entries from the GPO, resulting in a lot of garbage in the GPO. Of course,
that's where good management of the environment comes in, and it could
happen with smaller GPOs as well.
I think that we'll start by putting all the NTFS changes into our "user
rights" policy, and then if we need to break them out later we'll just cross
that bridge when we get there.
Historically, my organization has not made a lot of use of group policies.
It's been a Novell network for a long time and there are still a number of
Novell guys around who have resisted anything to do with Microsoft. But we
are now getting pushed into using group policies more and I am trying to
steer things toward an approach that is much like yours; One or two big
policies that everyone gets, then some smaller theme-based policies for
security, registry hacks, etc. I am also trying to push toward some kind of
naming convention for our policies so that everyone does things the same
way.
--Tom
"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uUb9hfMSIHA.4752@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Thomas M. schrieb:
I've heard that optimizing the performance of group policies is something
of
a balancing act.
Absolutly YES!
I'm told that complexity can slow down the processing of group policies,
so
A few policies with a lot of settings in each policy may not be the best
approach.
at least another argument aganst this kind of policies: Administration!
I like to work with thematic/speaking policies. If the policiy is called:
"WSUS Setting for a client" I usually know whats inside, even if I don´t
take a closer look into ;-)
I'm also told that the sure number of policies can slow things down,
so a lot of smaller policies each containing only one or two settings
also
may not be the best solution.
right aswell.
The implication being that a "medium" (how ever you choose to define
that term) number of policies with a "medium" number of settings in
each policy is the best overall solution in terms of group policy
processing.
Most of my scenarios look like this:
- one "big" policy containing the most compnay settings ALL CLIENTS
and USER will get.
- a lot of thematic policies, try only containing one single client
side extension (e.g.: Registry, Security)
- a few policies like above, but filtered by security settings, e.g.
some people need a different time out in Screensaver ...
This "exceptions" run last
This can lead in 10 to 15 policies per object.
Tuning is only necessary, if people "think" that it´s slow ;-)
In my situation, if we load up all the file system permissions changes
into
one policy and then push that policy to every machine, the policy will
try
to apply settings that the vast majority of machines will not need, and I
would think that would slow down the processing of group policies.
You can enable GPO Logging and take a look at the times, that are needed
to apply the settings, but my guess: It will not take a longer time.
It´s only on single file (gpttmpl.inf) where the settings are inside.
If the systems reads and appy 30 lines, or if it just read 30 lines,
I think it´s even faster ;-)
So, in general, would it be better to load up all of our file system
permissions changes into one group policy that gets pushed out to
everyone,
or would it be better to have 10 separate group policies that each
contain
only one or two settings and that get pushed down to only the machines
needing those policies?
I think it is not a question of performance, it´s aswell a question of
administration and how you like to work, and how you think it is easier
to handle.
If you brakedown the GPO into 10 singles, you need to filter them by
security group, WMI or OU structure. That can cause in a lot more work.
I can´t give you an answer tat is "black" or "white" it´s always "grey".
I like to have thinks structured "logically" like I mentioned above.
Or having them understandaable on the first view. On the other hand,
there are performance, other administrative issues, political
criterias (Layer 8 problem ;-) etc.
Think about implenting the most of your settings inside your client
image. That would be the easiest part.
Create a new image, create empty files an folder and apply all settings
in the image, then there is no need to deploy only "Changes" by GPO.
That would reduce the settings ... just another idea ;-)
Like you said: It´s a balancing act of
- default image
- installation
- default user
- GPO
- administration
- personal preferences
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
.
- References:
- Assigning File and Folder Permissions Via Group Policy
- From: Thomas M.
- Re: Assigning File and Folder Permissions Via Group Policy
- From: Mark Heitbrink [MVP]
- Re: Assigning File and Folder Permissions Via Group Policy
- From: Thomas M.
- Re: Assigning File and Folder Permissions Via Group Policy
- From: Mark Heitbrink [MVP]
- Assigning File and Folder Permissions Via Group Policy
- Prev by Date: Re: Folder redirection
- Next by Date: Re: gpotool reports sysvol mismatches
- Previous by thread: Re: Assigning File and Folder Permissions Via Group Policy
- Next by thread: problems publishing software install via GPO
- Index(es):
Relevant Pages
|
Loading
