Solved

GPO best practices

Posted on 2008-10-20
7
1,076 Views
Last Modified: 2012-12-11
Hi, i'm wondering when designing GPOs, is it best to have bigger GPOs with multiple settings in it, or create multiple, smaller GPOs with fewer settings in them?

I'm presuming fewer, but bigger GPOs would process faster but would be more difficult to manage?

Thanks.
0
Comment
Question by:paulo999
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 8

Assisted Solution

by:pzozulka
pzozulka earned 75 total points
ID: 22762876
I prefer any method that will allow IT Administration the most management. This would be many, smaller GPOs to allow for optimal management capablility.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 200 total points
ID: 22762930
I would suggest you to download and install "Group Policy Management console" and then design the group policies...If you have a very good organized OU, GPO design will be more effective. You can have any no of group policies in your domain but, to manage it more effectively less policies with more setting will make sense.

0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 200 total points
ID: 22762949
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 6

Assisted Solution

by:ngailfus
ngailfus earned 75 total points
ID: 22763338
We use larger policies for global settings (applies to all users/computers).  We then use smaller policies for printer deployments, software installation, scripts, and custom settings for sepecific users.  Other tricks include disabling User config or Computer config based on what the policy does.  This shaves a little off the processing time.  For example, a policy with a start up script or other computer based policies only can have the User configuration settings disabled.  
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 75 total points
ID: 22764033
It's easier to split things into easily manageable parts.  For example, I would recommend 4 different areas for managing GPOs.

1. User Experience (desktop, icons, backgrounds, etc..)
2. Control Panel (access to cmd shell, install/remove programs)
3. Security (Any type of security.. e.g NTFS security)
4. Internet Explorer (IE branding, removing Advanced tab)

So when changes occur, it's fairly trivial to find out where the new setting would go.  It keeps things neat and tidy and helps Administrators find where certain settings may actually be set at.

0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 75 total points
ID: 22773392
Most importantly, give the GPO a meaningful name. GPO naming can help identify, organize, and catagorize the usage of all your GPOs.
Also, Unless the GPO required both User Configuration and Computer Configuration, otherwise disable the one not being used.
0
 

Author Closing Comment

by:paulo999
ID: 31508070
Thanks for all the comments
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question