[Webinar] Streamline your web hosting managementRegister Today


Basic Group Policy Setup Recommendation

Posted on 2010-11-15
Medium Priority
Last Modified: 2012-05-10
Hi Guys

I'm just setting up a completely new Domain and was wondering how I should start with the Group Policies.
Which Group Policies should I definitely use, how should I seperate these? What is best practise?

Obviously I need password policy, redirected folders Policy and stuff like that. Whatelse can you think of.

Thanks in advance.
Question by:Dan-IT
  • 3
  • 3
  • 2
  • +1
LVL 21

Accepted Solution

snusgubben earned 252 total points
ID: 34135161
You should not customize the Default Domain Policy and Default Domain Controller Policy. Leave them as they are.

Create new GPO's with informative names that describes what their intention is.

ie. GPO-FolderRedirection (where you define folder redir.)
ie. GPO-SetHomePage (where you define the IE homepage)

Regarding password policy, here is a good description: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en

If you don't have many GPO's you could seperate User GPOs apart from Computer GPOs.

If you have multiple domain controllers, you could configure the time with a GPO:

Take regular backups of your GPO:

LVL 21

Expert Comment

ID: 34135169
Since you have 2008 R2 you could use Group Policy Prefrences to ie. map network drives, printers etc.


Expert Comment

ID: 34135198

I totally agree with SAGE here . Default domain and default domain controllers policies will be there in your domain as soon as you will promote the first domain controller in the domain and they will be applying most of the group policies automatically like your password policy and few security policies as well .

In order to change the Password policy you have to change it on default domain policy until and unless you have multiple password policies in your domain like in 2008 functional level domains .

You should not create new group policies unless its required . I would suggest to give every policy a good reference name as suggested by SAGE. it will actually make your administration easier .

For health Check ups i would suggest to monitor FIle Replication Service logs regularly you can use ULTRASOUND ( microsoft tool-just search in google) to monitor the health of sysvol which actully carries the policies.

Thanks !!!

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

LVL 24

Assisted Solution

Awinish earned 500 total points
ID: 34135230
If you are interested in learning GPO, follow the below article.


Few more things which i would like to mention, never apply GPO at site level,the reason is its very difficult to troubleshoot.


You use single password policy applied at domain level or if you have your domain & forest functional level set to windows 2008, you can use fine grained policy for specific groups.


You can use central store to store ADMX instead of ADM file which grows creating new GPO.

LVL 21

Expert Comment

ID: 34135244
added_flavour: Looks like he builds his domain on 2008 R2 so he'll be using DFSR and not FRS. Ultrasound monitors FRS ;)

Assisted Solution

added_flavour earned 248 total points
ID: 34135362
Oh wow !!!

 it would be really nice if he is using functional level 2008 . At least he would be enjoying Remote Differential Client  and several other benefits as No group policy morphing ,DFS Replication is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the DFS Replication database.

However, DFS Replication has its own set of monitoring and diagnostics tools.

There are a number of ways to monitor replication:

DFS Replication has a management pack for System Center Operations Manager 2007 that provides proactive monitoring.

DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group.

Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. Propagation shows you if files are being replicated to all nodes. Backlog shows you how many files still need to replicate before two computers are in sync. The backlog count is the number of updates that a replication group member has not processed. On computers running Windows Server 2008 R2, Dfsrdiag.exe can also display the updates that DFS Replication is currently replicating.

Scripts can use WMI to collect backlog information—manually or through MOM /SCOM

PS: These are benefits and Monitoring Suggestions  ;)

@ Snusgubben : thanks for correcting me  ;) cheers !!

Thanks  !!

Author Comment

ID: 34135441
WOW! So manny replies. Thanks guys.
In fact we will be using functional level 2008 and yes I'm really looking forward to the features this provides.

I was actually looking for Group policy settings I must not forget. Like DNS suffix and things like that.

All your replies are very good and I'm looking at the links now.

Thanks a lot


Expert Comment

ID: 34135504

Applying Group Policy actually depends on your requirement. If you need folder redirection you can user folder redirection policy and etc.etc
If you are looking for the reference that what all group policies and setting you can apply then Please download the following reference file and take a look at it :

Group Policy Settings Reference for Windows and Windows Server:


Thanks !!
LVL 24

Assisted Solution

Awinish earned 500 total points
ID: 34135661
The skill required to implement minimum GPO with maximum effect, that's the perfection & expectation from an Expert.

There is loads of new enhancements & features are available in windows 2008 as well as 2008 R2,in order to squeeze max,you require client with Windows 7,so that all the windows GPo feature can be implemented.

There is actually no best practice in implementing or creating GPO,its your skill which makes it simple & lesser, so that even other admin can work w/o much hardwork.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question