asked on GPO Best Practices
Looking for some "standards" or "Best Practices". I have been told to never edit the Default Domain or Default Controller Policies. Is that really "Best Practices"?
So as a general rule (and I know there are exceptions) most policies should be linked to either the Computer OU or the User OU depending on what the policy does?
Do you try and stay away from writing a new policy for every tiny setting and do something like make a generic "MyCompany Workstation Policy" and "MyCompany User Policy" and keep as many applicable settings in as few polices as possible?
So as a general rule (and I know there are exceptions) most policies should be linked to either the Computer OU or the User OU depending on what the policy does?
Do you try and stay away from writing a new policy for every tiny setting and do something like make a generic "MyCompany Workstation Policy" and "MyCompany User Policy" and keep as many applicable settings in as few polices as possible?
Active Directory
Last Comment
Adam Brown
ASKER
Thanks Joseph. Interesting reading but I am looking more for how, in general, other admins set up GPOs and where they place them. There seems to be a million different ways to do it and I am just looking for some general guidelines.
No two networks are the same so I know explicit detail won't work. Just looking for the basics.
No two networks are the same so I know explicit detail won't work. Just looking for the basics.
One final performance tip: Always place GPOs closet to the objects they are applying to.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
That's what I was looking for acbrown2010. Just some general guidelines. A couple observations/questions:
#2 Don't use computers and users right off the root. The only way to link GPOs to these are right from the domain. I figured that out the hard way :) I made two new OUs called "Employees" and "Workstations". Moved everything to them and link GPOs to them. Is that what you would recommend?
#6 If you have more than on GPO linked to an OU the last one linked takes precedence? How do you change the order?
Linking to the Domain itself is cheating? Not recommended?
#2 Don't use computers and users right off the root. The only way to link GPOs to these are right from the domain. I figured that out the hard way :) I made two new OUs called "Employees" and "Workstations". Moved everything to them and link GPOs to them. Is that what you would recommend?
#6 If you have more than on GPO linked to an OU the last one linked takes precedence? How do you change the order?
Linking to the Domain itself is cheating? Not recommended?
#2 - That's the best way to handle it, yes.
#6 - There is a method for determining precedence for GPOs. The further away from the OU the GPO is linked, the lower its precedence, unless it is enforced. GPOs linked to the same OU are processed from the last one linked historically. If you are in the GPMC, you can change the processing order by clicking on the OU and changing Link Order. GPOs in that screen are processed from the bottom up, meaning that the GPO at the top of the list is the one whose settings will "win" during conflicts.
Linking to the domain will cause all computers/users in the domain to apply the policies, which isn't usually something you'll want to have happen. So it's usually best to avoid doing so. Smaller environments can get away with doing it, but larger environments with complex OU structures can have a lot of problems with domain linked GPOs.
#6 - There is a method for determining precedence for GPOs. The further away from the OU the GPO is linked, the lower its precedence, unless it is enforced. GPOs linked to the same OU are processed from the last one linked historically. If you are in the GPMC, you can change the processing order by clicking on the OU and changing Link Order. GPOs in that screen are processed from the bottom up, meaning that the GPO at the top of the list is the one whose settings will "win" during conflicts.
Linking to the domain will cause all computers/users in the domain to apply the policies, which isn't usually something you'll want to have happen. So it's usually best to avoid doing so. Smaller environments can get away with doing it, but larger environments with complex OU structures can have a lot of problems with domain linked GPOs.
My personal best practice tips
1. Always comment everything - future you will be grateful
2. enable verbose (highly detailed) status mode to make troubleshooting a bit easier.
Below are two articles on those two tips:
https://deployhappiness.com/group-policy-best-practice-commenting-future/
https://deployhappiness.com/the-one-group-policy-setting-that-you-need-to-enable/