Solved

Group Policy Clean Up

Posted on 2014-03-12
2
255 Views
Last Modified: 2014-03-20
Hey guys, prior to working where I am now we had administrators creating a GP on the fly for a few policy here and a few policy's there.  To say the least, I would like to be about to merge all of those GPs without breaking something.  For example, if I have 12 GPs on the root domain, I would like to consolidate multiple GPs whenever possible.  One, what is the best way to do this and two, is there a utility to help with this?
0
Comment
Question by:joynereh
2 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 125 total points
ID: 39924808
The "best" way to do what you want is completely arbitrary. The whole design of active directory, from sites and services to OUs, from global security groups to universal security groups, and from WMI filters in group policies to loopback processing, was meant to make the system extremely flexible. What works for my network may not even be remotely applicable to yours.  But if  I were to outline *a* process from a ridiculously generalized point of view, it'd be this:

1) Get your AD infrastructure in order before worrying about reworking group policies.
2) Plan your sites.
3) Plan your OUs. These need to be necessarily unique. In small organizations where a bookkeeper may also be the HR person, OUs by role don't always make sense. So plan your OUs carefully.
4) NOW plan your security groups.
5) Now rework your group policies. Don't merge. Don't convert. Just create new policies, clearly named, using the comments field for further information, and create policies that make sense for each role in the organization, then enforce those policies using OU links, security groups, and WMI filters as necessary...IN THAT ORDER (aka don't add a security group filter where an OU alone enforces the policy required.)

Because of the flexible nature of group policies and inheritance, no there is no utility to even remotely help automate the process. The best you can get are some that will generate reams of papers showing you what the resulting policy would be for every user, every computer, and audit changes. Which isn't directly helpful for the above process.

-Cliff
0
 
LVL 17

Assisted Solution

by:Brad Bouchard
Brad Bouchard earned 125 total points
ID: 39927564
Cliff seems to have you on the right trick, but I might add my two cents.  I would find out the settings that are applied that all users need even if they are in separate GPOs and combine those into one GPO.  You obviously won't be able to fit every GPO into one, but you can definitely keep those settings and eliminate excess GPOs.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now