1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Group Policy Procedure

Discussion in 'Active Directory Exams' started by simongrahamuk, Apr 5, 2007.

  1. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    Just a general question guys that I'd like your thoughts on:

    What is the best practice for applying Group Policy? Would you implement several small policies, or a single all encompasing one?

    Some people prefer one method over the other, why?
     
  2. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    MS actually recommends against using several small policy's if a big one will do, this is due to processing time per policy. However which one you will ultimately use will be down to the way your AD is set up.

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  3. zcapr17

    zcapr17 Nibble Poster

    64
    8
    34
    Microsoft tend to give out conflicting advice about this issue. Granted, there is a KB article that pretty much says what Ken has said, however, I have talked to several senior MS consultants over the last few years and they now tend to agree that the number of GPOs doesn't make a significant difference. The total number of options set is a far more important factor affecting the processing time, regardless of whether they are in one large GPO or several smaller ones.

    The advantage of smaller GPOs is of course that you can group similar options together and re-use them without having to define the same option over and over again in larger more unwieldy GPOs. This helps enormously with managing your GPOs, especially when making changes and versioning.

    Personally, when I am designing GPOs I try to 'normalise' them in a process not dissimilar to normalising a relational database (i.e. minimise duplication of GPO options that are set and group them into meaningful objects).

    To optimise the performance of GPO processing always disable either the Computer Configuration or User Configuration sections if they're not used, and minimise the use of WMI filtering.

    Interestingly, there is actually a hard limit of 999 GPOs that can be processed by a computer at any one time, but you're likely to have serious problems with your AD before you get anywhere near this!:rolleyes:

    There's an interesting Technet chat about Group Policy here.

    z
     
    Certifications: MCSE:2K3 MCTS:Vista VCPv3 ITILv3 Sec+ L+
    WIP: MCITP Enterprise Admin 2008, CCA
  4. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    That's true, let's face it if you have a high spec server, a gb lan and fast clients. Will a couple of nano seconds really make a difference?

    At the end of the day it's down to the individual system's admin/engineer as they know their network better than anyone :)

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  5. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    I should think it would make a BIG difference yes. Well if you monitor it over the course of 100 years. That could be a whole 60 seconds of time gained if you had been more efficient. :)
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  6. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    D'oh you're right. It's a good thing we got high powered laptop's to "monitor" the network then, with utils like C&C3 :)

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  7. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Exactly! How on earth can you tell if the TCP/IP stack is working, and come to think of it, name resolution is also working unless you can initiate a network game of C&C3 and see it through to the end? It's easily the best network diagnostic tool I have come across for a long time. :)
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada

Share This Page

Loading...