Avatar of LockDown32
Flag for United States of America asked on

GPO Best Practices

Looking for some "standards" or "Best Practices". I have been told to never edit the Default Domain or Default Controller Policies. Is that really "Best Practices"?

So as a general rule (and I know there are exceptions) most policies should be linked to either the Computer OU or the User OU depending on what the policy does?

Do you try and stay away from writing a new policy for every tiny setting and do something like make a generic "MyCompany Workstation Policy" and "MyCompany User Policy" and keep as many applicable settings in as few polices as possible?
Active Directory

Avatar of undefined
Last Comment
Adam Brown

8/22/2022 - Mon
Joseph Moody

Most best practices are what works best in your environment. For the single setting vs giant GPO question - see this article: https://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx?f=255&MSPPError=-2147217396

My personal best practice tips

1.  Always comment everything - future you will be grateful

2. enable verbose (highly detailed) status mode to make troubleshooting a bit easier.

Below are two articles on those two tips:



Thanks Joseph. Interesting reading but I am looking more for how, in general, other admins set up GPOs and where they place them. There seems to be a million different ways to do it and I am just looking for some general guidelines.

No two networks are the same so I know explicit detail won't work. Just looking for the basics.
Joseph Moody

One final performance tip: Always place GPOs closet to the objects they are applying to.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Adam Brown

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

That's what I was looking for acbrown2010. Just some general guidelines. A couple observations/questions:

#2 Don't use computers and users right off the root. The only way to link GPOs to these are right from the domain. I figured that out the hard way :) I made two new OUs called "Employees" and "Workstations". Moved everything to them and link GPOs to them. Is that what you would recommend?

#6 If you have more than on GPO linked to an OU the last one linked takes precedence? How do you change the order?

Linking to the Domain itself is cheating? Not recommended?
Adam Brown

#2 - That's the best way to handle it, yes.
#6 - There is a method for determining precedence for GPOs. The further away from the OU the GPO is linked, the lower its precedence, unless it is enforced. GPOs linked to the same OU are processed from the last one linked historically. If you are in the GPMC, you can change the processing order by clicking on the OU and changing Link Order. GPOs in that screen are processed from the bottom up, meaning that the GPO at the top of the list is the one whose settings will "win" during conflicts.

Linking to the domain will cause all computers/users in the domain to apply the policies, which isn't usually something you'll want to have happen. So it's usually best to avoid doing so. Smaller environments can get away with doing it, but larger environments with complex OU structures can have a lot of problems with domain linked GPOs.