GPO best practice advice.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I wonder if you can help?

I know people tend to separate user and computer configurations, however, do people separate GPO settings into groups of separate GPOS ie create new

e.g. firewall settings, software rollout, remote access settings, desktop settings etc

or does this create overhead issues for logins and start-ups?

What's the best practice?

 

I prefer to keep things simple so that you have the Default Domain GPO, I then make changes to only things that the Default Domain Policy specified e.g. Password Complexitity Requirements etc.

I then create another GPO that I specify everything else in.

Just a personal thing, some people like to group GPO's together.

 

If you create a policy that only has user settings, then disable the computer part of the gpo, and vice versa. Will speed up the processing of the policy.

 

Yes i already do that one

 

Thanks all

i thought that by breaking things down it would be simple , however, i think it in fact makes thing more complex and slower. I suppose you could to that for planning then merge then together.

Gpo settings within are fairly well categorised anyway.

default domain settings, workstations settings, department specific settings and leave it like that
and then have the different user gpos.

 

i remember asking the Microsoft Server team the same question a long time ago when I was in Reading. They basically said (and I agree) that GPO's have the degree of flexibility to allow administrators to design and control them as they wish, however they did state that if you seperate every setting into different GPO's then it would slow down logging. Using server 2008 I tend to just have main GPO's like Internet Settings, Mapped Drives etc and just add comments in now its available.

Basically do whatever you prefer.

Gareth Jones
Chief Instructor

 

[had to remove]

 

yeah that is what i was thinking, but originally in more basic blocks. I suppose only make these blocks when settings are different between ous but keep them to a minimum

 

Yes that another way of dealing with user settings, thanks