• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

More or fewer group policy objects?

Understanding there is not a black and white answer, in general terms is it preferable to structure group policy objects so that each one contains more rules, and so you end up with a group having fewer GPOs applied, or is it better to have more GPOs, each containing a more specific type of rules?

Conceptually I prefer the having more GPOs that have more specific purposes but I am wondering if there is any impact on performance, login time, odds of getting policies properly applied, etc. by one approach or the other.

From your experiences, which approach do you prefer?
0
rwilsonz
Asked:
rwilsonz
2 Solutions
 
tigermattCommented:

The more Group Policy Objects you create, the longer the time it will take to process them. That is a fact; there's no getting away from it. The time added by using a few extra GPOs though will be milliseconds, compared with the other policies you are applying.

I always configure policies not based on what settings they apply but based on what they apply to. For example, I would create a 'Domain Admins Policy' or a 'Standard Users Policy', rather than a 'Lock Down Desktop' policy.

You may find, however, that using separate policies for different types of settings works better for you. If this increases your ease to administer the network, this is the route to take, since it will help you understand your configuration better. You will also be able to troubleshoot policy problems as they arise more easily with a system you are comfortable with.

-Matt
0
 
Mike KlineCommented:
I also prefer "functional" GPOs but there is no one absolute answer
My goto article for this question is by Group Policy MVP Darren Mar-Elia
http://technet.microsoft.com/en-us/magazine/cc137720.aspx
Optimizing Group Policy Performance
Great article and figure 1 has some good info.
Thanks
MIke
 
 
0
 
rwilsonzAuthor Commented:
Thanks for your responses.  They were very helpful, particularly the link from mkline71.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now