Group Policy Clean Up

Hey guys, prior to working where I am now we had administrators creating a GP on the fly for a few policy here and a few policy's there.  To say the least, I would like to be about to merge all of those GPs without breaking something.  For example, if I have 12 GPs on the root domain, I would like to consolidate multiple GPs whenever possible.  One, what is the best way to do this and two, is there a utility to help with this?
joynerehAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Cliff GaliherConnect With a Mentor Commented:
The "best" way to do what you want is completely arbitrary. The whole design of active directory, from sites and services to OUs, from global security groups to universal security groups, and from WMI filters in group policies to loopback processing, was meant to make the system extremely flexible. What works for my network may not even be remotely applicable to yours.  But if  I were to outline *a* process from a ridiculously generalized point of view, it'd be this:

1) Get your AD infrastructure in order before worrying about reworking group policies.
2) Plan your sites.
3) Plan your OUs. These need to be necessarily unique. In small organizations where a bookkeeper may also be the HR person, OUs by role don't always make sense. So plan your OUs carefully.
4) NOW plan your security groups.
5) Now rework your group policies. Don't merge. Don't convert. Just create new policies, clearly named, using the comments field for further information, and create policies that make sense for each role in the organization, then enforce those policies using OU links, security groups, and WMI filters as necessary...IN THAT ORDER (aka don't add a security group filter where an OU alone enforces the policy required.)

Because of the flexible nature of group policies and inheritance, no there is no utility to even remotely help automate the process. The best you can get are some that will generate reams of papers showing you what the resulting policy would be for every user, every computer, and audit changes. Which isn't directly helpful for the above process.

-Cliff
0
 
Brad BouchardConnect With a Mentor Information Systems Security OfficerCommented:
Cliff seems to have you on the right trick, but I might add my two cents.  I would find out the settings that are applied that all users need even if they are in separate GPOs and combine those into one GPO.  You obviously won't be able to fit every GPO into one, but you can definitely keep those settings and eliminate excess GPOs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.