Solved

GPO best practices

Posted on 2008-10-20
7
1,078 Views
Last Modified: 2012-12-11
Hi, i'm wondering when designing GPOs, is it best to have bigger GPOs with multiple settings in it, or create multiple, smaller GPOs with fewer settings in them?

I'm presuming fewer, but bigger GPOs would process faster but would be more difficult to manage?

Thanks.
0
Comment
Question by:paulo999
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 8

Assisted Solution

by:pzozulka
pzozulka earned 75 total points
ID: 22762876
I prefer any method that will allow IT Administration the most management. This would be many, smaller GPOs to allow for optimal management capablility.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 200 total points
ID: 22762930
I would suggest you to download and install "Group Policy Management console" and then design the group policies...If you have a very good organized OU, GPO design will be more effective. You can have any no of group policies in your domain but, to manage it more effectively less policies with more setting will make sense.

0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 200 total points
ID: 22762949
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 6

Assisted Solution

by:ngailfus
ngailfus earned 75 total points
ID: 22763338
We use larger policies for global settings (applies to all users/computers).  We then use smaller policies for printer deployments, software installation, scripts, and custom settings for sepecific users.  Other tricks include disabling User config or Computer config based on what the policy does.  This shaves a little off the processing time.  For example, a policy with a start up script or other computer based policies only can have the User configuration settings disabled.  
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 75 total points
ID: 22764033
It's easier to split things into easily manageable parts.  For example, I would recommend 4 different areas for managing GPOs.

1. User Experience (desktop, icons, backgrounds, etc..)
2. Control Panel (access to cmd shell, install/remove programs)
3. Security (Any type of security.. e.g NTFS security)
4. Internet Explorer (IE branding, removing Advanced tab)

So when changes occur, it's fairly trivial to find out where the new setting would go.  It keeps things neat and tidy and helps Administrators find where certain settings may actually be set at.

0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 75 total points
ID: 22773392
Most importantly, give the GPO a meaningful name. GPO naming can help identify, organize, and catagorize the usage of all your GPOs.
Also, Unless the GPO required both User Configuration and Computer Configuration, otherwise disable the one not being used.
0
 

Author Closing Comment

by:paulo999
ID: 31508070
Thanks for all the comments
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question