Solved

GPO best practices

Posted on 2008-10-20
7
1,075 Views
Last Modified: 2012-12-11
Hi, i'm wondering when designing GPOs, is it best to have bigger GPOs with multiple settings in it, or create multiple, smaller GPOs with fewer settings in them?

I'm presuming fewer, but bigger GPOs would process faster but would be more difficult to manage?

Thanks.
0
Comment
Question by:paulo999
7 Comments
 
LVL 8

Assisted Solution

by:pzozulka
pzozulka earned 75 total points
ID: 22762876
I prefer any method that will allow IT Administration the most management. This would be many, smaller GPOs to allow for optimal management capablility.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 200 total points
ID: 22762930
I would suggest you to download and install "Group Policy Management console" and then design the group policies...If you have a very good organized OU, GPO design will be more effective. You can have any no of group policies in your domain but, to manage it more effectively less policies with more setting will make sense.

0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 200 total points
ID: 22762949
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 6

Assisted Solution

by:ngailfus
ngailfus earned 75 total points
ID: 22763338
We use larger policies for global settings (applies to all users/computers).  We then use smaller policies for printer deployments, software installation, scripts, and custom settings for sepecific users.  Other tricks include disabling User config or Computer config based on what the policy does.  This shaves a little off the processing time.  For example, a policy with a start up script or other computer based policies only can have the User configuration settings disabled.  
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 75 total points
ID: 22764033
It's easier to split things into easily manageable parts.  For example, I would recommend 4 different areas for managing GPOs.

1. User Experience (desktop, icons, backgrounds, etc..)
2. Control Panel (access to cmd shell, install/remove programs)
3. Security (Any type of security.. e.g NTFS security)
4. Internet Explorer (IE branding, removing Advanced tab)

So when changes occur, it's fairly trivial to find out where the new setting would go.  It keeps things neat and tidy and helps Administrators find where certain settings may actually be set at.

0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 75 total points
ID: 22773392
Most importantly, give the GPO a meaningful name. GPO naming can help identify, organize, and catagorize the usage of all your GPOs.
Also, Unless the GPO required both User Configuration and Computer Configuration, otherwise disable the one not being used.
0
 

Author Closing Comment

by:paulo999
ID: 31508070
Thanks for all the comments
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question