Solved

Group Policy Clean Up

Posted on 2014-03-12
2
258 Views
Last Modified: 2014-03-20
Hey guys, prior to working where I am now we had administrators creating a GP on the fly for a few policy here and a few policy's there.  To say the least, I would like to be about to merge all of those GPs without breaking something.  For example, if I have 12 GPs on the root domain, I would like to consolidate multiple GPs whenever possible.  One, what is the best way to do this and two, is there a utility to help with this?
0
Comment
Question by:joynereh
2 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 125 total points
ID: 39924808
The "best" way to do what you want is completely arbitrary. The whole design of active directory, from sites and services to OUs, from global security groups to universal security groups, and from WMI filters in group policies to loopback processing, was meant to make the system extremely flexible. What works for my network may not even be remotely applicable to yours.  But if  I were to outline *a* process from a ridiculously generalized point of view, it'd be this:

1) Get your AD infrastructure in order before worrying about reworking group policies.
2) Plan your sites.
3) Plan your OUs. These need to be necessarily unique. In small organizations where a bookkeeper may also be the HR person, OUs by role don't always make sense. So plan your OUs carefully.
4) NOW plan your security groups.
5) Now rework your group policies. Don't merge. Don't convert. Just create new policies, clearly named, using the comments field for further information, and create policies that make sense for each role in the organization, then enforce those policies using OU links, security groups, and WMI filters as necessary...IN THAT ORDER (aka don't add a security group filter where an OU alone enforces the policy required.)

Because of the flexible nature of group policies and inheritance, no there is no utility to even remotely help automate the process. The best you can get are some that will generate reams of papers showing you what the resulting policy would be for every user, every computer, and audit changes. Which isn't directly helpful for the above process.

-Cliff
0
 
LVL 17

Assisted Solution

by:Brad Bouchard
Brad Bouchard earned 125 total points
ID: 39927564
Cliff seems to have you on the right trick, but I might add my two cents.  I would find out the settings that are applied that all users need even if they are in separate GPOs and combine those into one GPO.  You obviously won't be able to fit every GPO into one, but you can definitely keep those settings and eliminate excess GPOs.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question