Group Policy Procedure

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Just a general question guys that I'd like your thoughts on:

What is the best practice for applying Group Policy? Would you implement several small policies, or a single all encompasing one?

Some people prefer one method over the other, why?

 

Microsoft tend to give out conflicting advice about this issue. Granted, there is a KB article that pretty much says what Ken has said, however, I have talked to several senior MS consultants over the last few years and they now tend to agree that the number of GPOs doesn't make a significant difference. The total number of options set is a far more important factor affecting the processing time, regardless of whether they are in one large GPO or several smaller ones.

The advantage of smaller GPOs is of course that you can group similar options together and re-use them without having to define the same option over and over again in larger more unwieldy GPOs. This helps enormously with managing your GPOs, especially when making changes and versioning.

Personally, when I am designing GPOs I try to 'normalise' them in a process not dissimilar to normalising a relational database (i.e. minimise duplication of GPO options that are set and group them into meaningful objects).

To optimise the performance of GPO processing always disable either the Computer Configuration or User Configuration sections if they're not used, and minimise the use of WMI filtering.

Interestingly, there is actually a hard limit of 999 GPOs that can be processed by a computer at any one time, but you're likely to have serious problems with your AD before you get anywhere near this!

There's an interesting Technet chat about Group Policy here.

z

 

I should think it would make a BIG difference yes. Well if you monitor it over the course of 100 years. That could be a whole 60 seconds of time gained if you had been more efficient.

 

Exactly! How on earth can you tell if the TCP/IP stack is working, and come to think of it, name resolution is also working unless you can initiate a network game of C&C3 and see it through to the end? It's easily the best network diagnostic tool I have come across for a long time.