Solved

What is the best way to apply targeted group policies?

Posted on 2014-09-24
1
228 Views
Last Modified: 2014-10-07
How should we deal with Active Directory Group Policy Objects that have limited scope? We have a newly-created, global Active Directory forest that has been built with scalability and ease of management in mind. We started with a global IP addressing change so that all our offices and datacenters can co-exist on the same WAN and have a logical layout so that we can predict what a particular ip address would be simply by knowing the physical location and purpose of the device to which the ip address is assigned. We then built our Active Directory Sites and subnets around this global ip infrastructure. Now it is time to expand our Group Policies a bit and we want to use the same care in planning them as we did in planning our Active Directory environment.

We have decided that at a global level we should create as few policies as possible. ('Global Policy - Users', 'Global Policy - Computers', 'Global Policy - Servers', etc.)

Some settings are not appropriate to be applied globally but work well for sites, such as setting dns search domain names or mapping printers, so we have some Site GPOs as well.

For managing servers, it is reasonable to control certain things via group policy that are not universally applicable for all servers. The instance that has arisen lately is controlling Remote Desktop Services connection policies for our terminal servers. There are several ways to apply certain policies to only the Terminal Servers. Here are the ones that I have considered:
Create sub-OUs, move the Terminal Server computer objects into them and apply GPOs to the sub-OU(s). It seems at first glance to be an effective solution but there are two problems:
1. It adds complexity to the OU structure.
2. Some servers would potentially need to belong to multiple OUs to get all applicable policies but this is only possible if the OUs are nested.
Apply the GPOs universally but use Security Filtering to target specific servers by group membership.
1. This is an elegant solution but it can be difficult to keep track of which policies apply to which server objects.
Modify the local Group Policy on every computer that needs the specific policy.
1. This is the preferred method for testing but it isn't scalable nor centrally managed.

I know that there are probably as many opinions as there are A/D engineers, but I'm looking for just that -- your opinion, the logic behind it and examples where you have already implemented your suggested solution.
0
Comment
Question by:Eric Quackenbush
1 Comment
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40348633
I'll take a shot at a few suggestions.  

- I just redid my printers using location tracking and it made a big difference. By using the location scheme suggested, it can auto populate based on sites and services location. http://technet.microsoft.com/en-us/library/bb727034.aspx

- terminal services (rds) servers: these really need their own gpo, so they should have their own OU. Id suggest putting all of them in an OU, or maybe a sub-OU under their location OU. If there is something in an OU above them you can't have, block inheritance and add the ones you want. This way you can easily see what policies apply without getting into security settings.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now