Solved

Group Policy Clean Up

Posted on 2014-03-12
2
254 Views
Last Modified: 2014-03-20
Hey guys, prior to working where I am now we had administrators creating a GP on the fly for a few policy here and a few policy's there.  To say the least, I would like to be about to merge all of those GPs without breaking something.  For example, if I have 12 GPs on the root domain, I would like to consolidate multiple GPs whenever possible.  One, what is the best way to do this and two, is there a utility to help with this?
0
Comment
Question by:joynereh
2 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 125 total points
Comment Utility
The "best" way to do what you want is completely arbitrary. The whole design of active directory, from sites and services to OUs, from global security groups to universal security groups, and from WMI filters in group policies to loopback processing, was meant to make the system extremely flexible. What works for my network may not even be remotely applicable to yours.  But if  I were to outline *a* process from a ridiculously generalized point of view, it'd be this:

1) Get your AD infrastructure in order before worrying about reworking group policies.
2) Plan your sites.
3) Plan your OUs. These need to be necessarily unique. In small organizations where a bookkeeper may also be the HR person, OUs by role don't always make sense. So plan your OUs carefully.
4) NOW plan your security groups.
5) Now rework your group policies. Don't merge. Don't convert. Just create new policies, clearly named, using the comments field for further information, and create policies that make sense for each role in the organization, then enforce those policies using OU links, security groups, and WMI filters as necessary...IN THAT ORDER (aka don't add a security group filter where an OU alone enforces the policy required.)

Because of the flexible nature of group policies and inheritance, no there is no utility to even remotely help automate the process. The best you can get are some that will generate reams of papers showing you what the resulting policy would be for every user, every computer, and audit changes. Which isn't directly helpful for the above process.

-Cliff
0
 
LVL 17

Assisted Solution

by:Brad Bouchard
Brad Bouchard earned 125 total points
Comment Utility
Cliff seems to have you on the right trick, but I might add my two cents.  I would find out the settings that are applied that all users need even if they are in separate GPOs and combine those into one GPO.  You obviously won't be able to fit every GPO into one, but you can definitely keep those settings and eliminate excess GPOs.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now