Solved

GPO best practices

Posted on 2008-10-20
7
1,073 Views
Last Modified: 2012-12-11
Hi, i'm wondering when designing GPOs, is it best to have bigger GPOs with multiple settings in it, or create multiple, smaller GPOs with fewer settings in them?

I'm presuming fewer, but bigger GPOs would process faster but would be more difficult to manage?

Thanks.
0
Comment
Question by:paulo999
7 Comments
 
LVL 8

Assisted Solution

by:pzozulka
pzozulka earned 75 total points
ID: 22762876
I prefer any method that will allow IT Administration the most management. This would be many, smaller GPOs to allow for optimal management capablility.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 200 total points
ID: 22762930
I would suggest you to download and install "Group Policy Management console" and then design the group policies...If you have a very good organized OU, GPO design will be more effective. You can have any no of group policies in your domain but, to manage it more effectively less policies with more setting will make sense.

0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 200 total points
ID: 22762949
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 6

Assisted Solution

by:ngailfus
ngailfus earned 75 total points
ID: 22763338
We use larger policies for global settings (applies to all users/computers).  We then use smaller policies for printer deployments, software installation, scripts, and custom settings for sepecific users.  Other tricks include disabling User config or Computer config based on what the policy does.  This shaves a little off the processing time.  For example, a policy with a start up script or other computer based policies only can have the User configuration settings disabled.  
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 75 total points
ID: 22764033
It's easier to split things into easily manageable parts.  For example, I would recommend 4 different areas for managing GPOs.

1. User Experience (desktop, icons, backgrounds, etc..)
2. Control Panel (access to cmd shell, install/remove programs)
3. Security (Any type of security.. e.g NTFS security)
4. Internet Explorer (IE branding, removing Advanced tab)

So when changes occur, it's fairly trivial to find out where the new setting would go.  It keeps things neat and tidy and helps Administrators find where certain settings may actually be set at.

0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 75 total points
ID: 22773392
Most importantly, give the GPO a meaningful name. GPO naming can help identify, organize, and catagorize the usage of all your GPOs.
Also, Unless the GPO required both User Configuration and Computer Configuration, otherwise disable the one not being used.
0
 

Author Closing Comment

by:paulo999
ID: 31508070
Thanks for all the comments
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now