Basic Group Policy Setup Recommendation

Hi Guys

I'm just setting up a completely new Domain and was wondering how I should start with the Group Policies.
Which Group Policies should I definitely use, how should I seperate these? What is best practise?

Obviously I need password policy, redirected folders Policy and stuff like that. Whatelse can you think of.

Thanks in advance.
Who is Participating?
You should not customize the Default Domain Policy and Default Domain Controller Policy. Leave them as they are.

Create new GPO's with informative names that describes what their intention is.

ie. GPO-FolderRedirection (where you define folder redir.)
ie. GPO-SetHomePage (where you define the IE homepage)

Regarding password policy, here is a good description:

If you don't have many GPO's you could seperate User GPOs apart from Computer GPOs.

If you have multiple domain controllers, you could configure the time with a GPO:

Take regular backups of your GPO:

Since you have 2008 R2 you could use Group Policy Prefrences to ie. map network drives, printers etc.

I totally agree with SAGE here . Default domain and default domain controllers policies will be there in your domain as soon as you will promote the first domain controller in the domain and they will be applying most of the group policies automatically like your password policy and few security policies as well .

In order to change the Password policy you have to change it on default domain policy until and unless you have multiple password policies in your domain like in 2008 functional level domains .

You should not create new group policies unless its required . I would suggest to give every policy a good reference name as suggested by SAGE. it will actually make your administration easier .

For health Check ups i would suggest to monitor FIle Replication Service logs regularly you can use ULTRASOUND ( microsoft tool-just search in google) to monitor the health of sysvol which actully carries the policies.

Thanks !!!

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

If you are interested in learning GPO, follow the below article.

Few more things which i would like to mention, never apply GPO at site level,the reason is its very difficult to troubleshoot.

You use single password policy applied at domain level or if you have your domain & forest functional level set to windows 2008, you can use fine grained policy for specific groups.

You can use central store to store ADMX instead of ADM file which grows creating new GPO.

added_flavour: Looks like he builds his domain on 2008 R2 so he'll be using DFSR and not FRS. Ultrasound monitors FRS ;)
Oh wow !!!

 it would be really nice if he is using functional level 2008 . At least he would be enjoying Remote Differential Client  and several other benefits as No group policy morphing ,DFS Replication is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the DFS Replication database.

However, DFS Replication has its own set of monitoring and diagnostics tools.

There are a number of ways to monitor replication:

DFS Replication has a management pack for System Center Operations Manager 2007 that provides proactive monitoring.

DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group.

Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. Propagation shows you if files are being replicated to all nodes. Backlog shows you how many files still need to replicate before two computers are in sync. The backlog count is the number of updates that a replication group member has not processed. On computers running Windows Server 2008 R2, Dfsrdiag.exe can also display the updates that DFS Replication is currently replicating.

Scripts can use WMI to collect backlog information—manually or through MOM /SCOM

PS: These are benefits and Monitoring Suggestions  ;)

@ Snusgubben : thanks for correcting me  ;) cheers !!

Thanks  !!
Dan-ITAuthor Commented:
WOW! So manny replies. Thanks guys.
In fact we will be using functional level 2008 and yes I'm really looking forward to the features this provides.

I was actually looking for Group policy settings I must not forget. Like DNS suffix and things like that.

All your replies are very good and I'm looking at the links now.

Thanks a lot


Applying Group Policy actually depends on your requirement. If you need folder redirection you can user folder redirection policy and etc.etc
If you are looking for the reference that what all group policies and setting you can apply then Please download the following reference file and take a look at it :

Group Policy Settings Reference for Windows and Windows Server:

Thanks !!
The skill required to implement minimum GPO with maximum effect, that's the perfection & expectation from an Expert.

There is loads of new enhancements & features are available in windows 2008 as well as 2008 R2,in order to squeeze max,you require client with Windows 7,so that all the windows GPo feature can be implemented.

There is actually no best practice in implementing or creating GPO,its your skill which makes it simple & lesser, so that even other admin can work w/o much hardwork.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.