Basic Group Policy Setup Recommendation

Posted on 2010-11-15
Last Modified: 2012-05-10
Hi Guys

I'm just setting up a completely new Domain and was wondering how I should start with the Group Policies.
Which Group Policies should I definitely use, how should I seperate these? What is best practise?

Obviously I need password policy, redirected folders Policy and stuff like that. Whatelse can you think of.

Thanks in advance.
Question by:Dan-IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 21

Accepted Solution

snusgubben earned 63 total points
ID: 34135161
You should not customize the Default Domain Policy and Default Domain Controller Policy. Leave them as they are.

Create new GPO's with informative names that describes what their intention is.

ie. GPO-FolderRedirection (where you define folder redir.)
ie. GPO-SetHomePage (where you define the IE homepage)

Regarding password policy, here is a good description:

If you don't have many GPO's you could seperate User GPOs apart from Computer GPOs.

If you have multiple domain controllers, you could configure the time with a GPO:

Take regular backups of your GPO:

LVL 21

Expert Comment

ID: 34135169
Since you have 2008 R2 you could use Group Policy Prefrences to ie. map network drives, printers etc.

Expert Comment

ID: 34135198

I totally agree with SAGE here . Default domain and default domain controllers policies will be there in your domain as soon as you will promote the first domain controller in the domain and they will be applying most of the group policies automatically like your password policy and few security policies as well .

In order to change the Password policy you have to change it on default domain policy until and unless you have multiple password policies in your domain like in 2008 functional level domains .

You should not create new group policies unless its required . I would suggest to give every policy a good reference name as suggested by SAGE. it will actually make your administration easier .

For health Check ups i would suggest to monitor FIle Replication Service logs regularly you can use ULTRASOUND ( microsoft tool-just search in google) to monitor the health of sysvol which actully carries the policies.

Thanks !!!

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

LVL 24

Assisted Solution

Awinish earned 125 total points
ID: 34135230
If you are interested in learning GPO, follow the below article.

Few more things which i would like to mention, never apply GPO at site level,the reason is its very difficult to troubleshoot.

You use single password policy applied at domain level or if you have your domain & forest functional level set to windows 2008, you can use fine grained policy for specific groups.

You can use central store to store ADMX instead of ADM file which grows creating new GPO.

LVL 21

Expert Comment

ID: 34135244
added_flavour: Looks like he builds his domain on 2008 R2 so he'll be using DFSR and not FRS. Ultrasound monitors FRS ;)

Assisted Solution

added_flavour earned 62 total points
ID: 34135362
Oh wow !!!

 it would be really nice if he is using functional level 2008 . At least he would be enjoying Remote Differential Client  and several other benefits as No group policy morphing ,DFS Replication is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the DFS Replication database.

However, DFS Replication has its own set of monitoring and diagnostics tools.

There are a number of ways to monitor replication:

DFS Replication has a management pack for System Center Operations Manager 2007 that provides proactive monitoring.

DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group.

Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. Propagation shows you if files are being replicated to all nodes. Backlog shows you how many files still need to replicate before two computers are in sync. The backlog count is the number of updates that a replication group member has not processed. On computers running Windows Server 2008 R2, Dfsrdiag.exe can also display the updates that DFS Replication is currently replicating.

Scripts can use WMI to collect backlog information—manually or through MOM /SCOM

PS: These are benefits and Monitoring Suggestions  ;)

@ Snusgubben : thanks for correcting me  ;) cheers !!

Thanks  !!

Author Comment

ID: 34135441
WOW! So manny replies. Thanks guys.
In fact we will be using functional level 2008 and yes I'm really looking forward to the features this provides.

I was actually looking for Group policy settings I must not forget. Like DNS suffix and things like that.

All your replies are very good and I'm looking at the links now.

Thanks a lot


Expert Comment

ID: 34135504

Applying Group Policy actually depends on your requirement. If you need folder redirection you can user folder redirection policy and etc.etc
If you are looking for the reference that what all group policies and setting you can apply then Please download the following reference file and take a look at it :

Group Policy Settings Reference for Windows and Windows Server:

Thanks !!
LVL 24

Assisted Solution

Awinish earned 125 total points
ID: 34135661
The skill required to implement minimum GPO with maximum effect, that's the perfection & expectation from an Expert.

There is loads of new enhancements & features are available in windows 2008 as well as 2008 R2,in order to squeeze max,you require client with Windows 7,so that all the windows GPo feature can be implemented.

There is actually no best practice in implementing or creating GPO,its your skill which makes it simple & lesser, so that even other admin can work w/o much hardwork.

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question