Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Group Policy Clean Up

Posted on 2014-03-12
2
Medium Priority
?
267 Views
Last Modified: 2014-03-20
Hey guys, prior to working where I am now we had administrators creating a GP on the fly for a few policy here and a few policy's there.  To say the least, I would like to be about to merge all of those GPs without breaking something.  For example, if I have 12 GPs on the root domain, I would like to consolidate multiple GPs whenever possible.  One, what is the best way to do this and two, is there a utility to help with this?
0
Comment
Question by:joynereh
2 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39924808
The "best" way to do what you want is completely arbitrary. The whole design of active directory, from sites and services to OUs, from global security groups to universal security groups, and from WMI filters in group policies to loopback processing, was meant to make the system extremely flexible. What works for my network may not even be remotely applicable to yours.  But if  I were to outline *a* process from a ridiculously generalized point of view, it'd be this:

1) Get your AD infrastructure in order before worrying about reworking group policies.
2) Plan your sites.
3) Plan your OUs. These need to be necessarily unique. In small organizations where a bookkeeper may also be the HR person, OUs by role don't always make sense. So plan your OUs carefully.
4) NOW plan your security groups.
5) Now rework your group policies. Don't merge. Don't convert. Just create new policies, clearly named, using the comments field for further information, and create policies that make sense for each role in the organization, then enforce those policies using OU links, security groups, and WMI filters as necessary...IN THAT ORDER (aka don't add a security group filter where an OU alone enforces the policy required.)

Because of the flexible nature of group policies and inheritance, no there is no utility to even remotely help automate the process. The best you can get are some that will generate reams of papers showing you what the resulting policy would be for every user, every computer, and audit changes. Which isn't directly helpful for the above process.

-Cliff
0
 
LVL 17

Assisted Solution

by:Brad Bouchard
Brad Bouchard earned 500 total points
ID: 39927564
Cliff seems to have you on the right trick, but I might add my two cents.  I would find out the settings that are applied that all users need even if they are in separate GPOs and combine those into one GPO.  You obviously won't be able to fit every GPO into one, but you can definitely keep those settings and eliminate excess GPOs.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question