![]() Group Policy Design Guidelines – Part 2. In my previous article In this article Best Practice: Active Directory Structure Guidelines – Part 1 I spoke about some of the guidelines I personally use when developing an Active Directory OU structure. In this next part I will discuss some guidelines I use when designing a Group Policy Object infrastructure. Ideally you should make the the Active Directory OU and GPO design decision together to best ensure that you have the most efficient design possible. However if you have an existing OU structure designed a lot of these guidelines can still be applied to most existing environments. As in Part 1 these are simply guidelines that I use and should not be taken as hard an fast rules. I quite often finding myself having to break these rules due to real world conflicts or just because one rule might conflict with the other rule. If you do find your self in a situation where you are not sure which path to take try to chose the option that will result in the least administrative effort in the long term. Keep the GPO’s name consistent with the OU names. When naming the GPO try to keep the name of the policy the same as the concatenated name of all the OU’s to where the group policy object is applied. Having the fully concatenated name will make it intently know what that policy is applied when just looking at the GPO name. This is very handy to know when looking at a Group Policy Results report which only gives you the name of the GPO without the linked OU details. In keeping with having names consistent this also means you should adhere to the same naming conventions as mentioned in Part 1 with the OU’s (i. ![]() ![]() Windows Server 2003, Windows Server 2003 SP1 and SP2, and Windows Server 2003 R2 retired content. The content you requested has already retired. It's available to. Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. January 2008 Group Policy: Inside ADM and ADMX Templates for Group Policy. Deploying software through a group policy in Windows can dramatically reduce the amount of time it would take to install the same software manually on each of your. One of the bigger challenges in some Active Directory environments is controlling who is allowed to log into workstations. By default, every user in AD automatically. ![]() A free multi-track audio editor and recorder. Audacity is a free, easy-to-use, multi-track audio editor and recorder for. Very good article, but there is a problem, but will not work with windows vista home premium: the group policy editor is not available, neither can user control. ![]() ![]() I KNOW ITS A POLICY!!!! I AM LOOKING AT IT IN THE GROUP POLICY MANAGEMENT CONSOLE. Please drop the work “policy” or “GPO” from the name of the Group Policy object as you are simple adding more characters to what might already be a long name only for the sake of pointing out the obvious. I also realise that the two GPO’s that come with AD are called “Default Domain Policy” and “Default Domain Controller Policy” which goes against this rule. But this would have to be the only exception to this rule that I would be happy to let though. Ideally you should configure you Terminal Server to be as close as possible as your workstations to provide your users with a consistent experience. The best way to make sure the configuration is consistent is to apply the same policy settings to the Terminal Serves as your workstations. That being said don’t apply the same computer Group Policy Object to the Terminal Servers if for no other reason than it helps reduce the risk of making a change to a workstation that could affect the stability of the servers (e. Automatic Update reboot schedule). Therefore you will need to maintain some level of manually synchronisation between you default workstation and terminal server policy. Unlike computer GPO’s it far more acceptable to apply the same user GPO’s to your users when logging on to the Terminal Server as the GPO are applied to the User Object rather than the computer account. ![]() Using the same policy means that any changes made to the user policies will automatically apply to terminal servers without the administrative overhead of making duplicate updates when there are policy changes. If you have any user configuration that you want to configure that is specific to the terminal servers (e. This is another reason why you would want to have a separate computer GPO as it allow you to apply specific Terminal Server user settings via a loopback policy. For more information on troubleshooting Loop back policies check out Loopback Policy Processing Debug Series . This option is appropriate in certain closely managed environments, such as servers, terminal servers, classrooms, public kiosks, and reception areas. New GPO’s only when scope is different. I have seen some organisations apply many Group Policy Objects (GPO’s) to the same OU. ![]() There are a number of reason why you might want to do this however you should really consider why you want spawn another GPO as each one will add about 5mb to you Active Directory SYSVOL. But if you start creating lots of GPO objects then you can quickly blow out your the size and performance of your SYSVOL. This is not such a problem if you have upgraded to a DFS- R SYSVOL replication or you have configured a Group Policy Central Store for your Windows Vista and later computers but its still good practice to keep the number of GPO’s as low as possible. Monolithic vs. Functional GPOs. Now that I have just told you that you should load up your GPO’s with lots of setting rather than having lots and lots of separate GPO’s Mike Kline has referred me to the this great article Best Practice for Optimizing Group Policy Performance by Darren Mar- Elia that talks about Monolithic vs. Functional GPOs. The terms “monolithic” and “functional” refer to how you design them. Monolithic GPOs contain settings from many different areas. For example, a monolithic GPO might contain settings from Administrative Templates, Internet Explorer Maintenance, and Software Installation policies—all within a single GPO. By contrast, functional GPOs typically do one thing. For example, a functional GPO may do only Software Installation or enforce Security settings. I totally agree with this and my advice to you when trying to decide which to use that your should pick the type of policy configuration that suites your needs. This also maps very nicely to the 8. Monolithic approach to the 8. ![]() GPO’s and more Functional to the 2. The 8. 0% policies are going to have more setting in them but they will be relatively static where the 2. This way you should be able to balance the pro’s and con’s of each policy type in your environment. References. Tech. Net: Complying with Service Level Agreements. If you have large or complex GPOs that require frequent changes, consider creating a new GPO that contains only the sections that you update regularly. Setting (not policies) = Slower SOEIt is often a misconception that splitting up your group policy setting into a lot of Group Policy Objects (GPO’s) will slow down Group Policy on your computers. While this might be true if you have many 1. ![]() GPO’s applied to your computer this is not normally the reason why computer may slow down processing Group Policies. Normally you will find that its the number of settings you have applied that will cause performance issues and even then you will find that particular setting that will cause more of a performance hit than other. In my experience the policy setting that cause the most likely affect performance are: Printer Mappings (1. Folder Redirection (Especially with Windows XP and App. Data Redirection)You should also expect that the first time a users logs on with a new account that they should expect a slow logon as the computer will need to apply all policy setting. However subsequent logon’s should be much faster as the computer is then only checking the policy is still applied. This is similar to the difference between running a “GPUPDATE” and a “GPUPDATE /FORCE” . You should also check out the Best Practice for Optimizing Group Policy Performance post by Darren Mar- Elia as this post explains in detail how GPO are applied and what you can do to tweak performance. While it would be fairly rare to have an environment that has more than a 9. GPO’s applied to a single computer still be aware there is a hard limit on the number of GPO’s you can apply to any user or computer. Thus trying to keep the number GPO’s to a as few as possible is a good idea especially in very large organisations that may uses separate GPO’s for installing software packages. Reference. Tech. Net: Determining the Number of Group Policy Objects. Note that a maximum of 9. GPOs is supported for processing GPOs on any one user or computer. If you exceed the maximum, no GPOs will be processed. Disable User/Computer settings if not in use. If you are creating a GPO that is only meant to be applied to computers (and vice versa for users) then you should disable the unused portion of the GPO. This not only helps guards against accidental change to the section of the GPO that should not be applied it should also give you a small performance boost processing policies on your computers as the GPO does not un- necessarily evaluate parts of the policy that are not configured with any settings. While I have never seen a performance benefit in disabling the unused portion of a GPO or based on the number of GPO’s applied to a computers (see “Settings (not polices) = Slower SOE)” section above) I do encourage that you adhere to these principals to avoid Death of a thousand cuts when it comes to the performance of your systems. Tech. Net: Complying with Service Level Agreements. If a GPO contains only computer or user settings, disable the portion of the policy that does not apply. The destination computer does not scan the portions of a GPO that you disable, which reduces processing time. Avoid using Enforced. In all my time as an Group Policy Administrator I cannot real once a scenario that I required the use of the Enforced feature of Group Policy. At all cost you should avoid this setting as doing so is like using big hammer to a problem that you can probably avoid if designed right.(RESIST THE URGE)References. Tech. Net: Designing Your Group Policy Model. Use the Enforced and Block Policy Inheritance features sparingly. Routine use of these features can make it difficult to troubleshoot policy because it is not immediately clear to administrators of other GPOs why certain settings do or do not apply. Reuse GPO’s where possible. If you are in a situation that you want have the same settings you want to apply to all the users or computers in specific OU’s your organisation then consider linking the same GPO to these OU’s. When naming the GPO chose a name that represents what is common to what you are applying. This is shown in the image below (and in “8.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |