+ Post New Thread
Results 1 to 14 of 14
How do you do....it? Thread, GPOs One or Many in Technical; Just quick question. Is is better to have many GPOs doing specific things eg 1 for IE settings, 1 for ...
  1. #1

    bladedanny's Avatar
    Join Date
    May 2009
    Location
    Sheffield
    Posts
    1,314
    Thank Post
    191
    Thanked 313 Times in 234 Posts
    Rep Power
    171

    GPOs One or Many

    Just quick question.

    Is is better to have many GPOs doing specific things eg 1 for IE settings, 1 for Printer Deployment, 1 for security settings etc per OU or is it better to have one GPO per OU that does everything?

    Ta,

  2. #2

    Join Date
    Sep 2008
    Location
    Durham
    Posts
    129
    Thank Post
    2
    Thanked 30 Times in 28 Posts
    Rep Power
    25
    I've always subscribed to the idea of creating GPOs for specific tasks. It makes the management of their settings easier if you know which GPO to alter. It also makes it easier to disable specific settings in that GPO by disabling that particular GPO rather than going in and altering the settings individually.

    A couple of things to remember when applying GPOs is the order in which they are applied and that it's not the number of GPOs applied, but the number of settings that control login or startup times.

  3. Thanks to riffleman from:

    bladedanny (31st October 2011)

  4. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    The more you have the longer it takes to process them, however the more you change them and the more settings they have in them, the more likely it is that they corrupt. This unfourtunatly is far more common under 2008 than it was under 2003. I think that the best practice is somewhere in the middle between one and many.

  5. Thanks to SYNACK from:

    bladedanny (31st October 2011)

  6. #4

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,372
    Thank Post
    354
    Thanked 1,349 Times in 927 Posts
    Blog Entries
    4
    Rep Power
    1203
    We have multiple GPOs. However each GPO is targeted to a particular task [as far as possible] eg: Office 2010, Internet Explorer, Student Station Lockdown,...

    If there is a setting that is required that does not seem to fit into the pre-existing GPOs then we will create a new GPO.

    HTH.

  7. Thanks to DaveP from:

    bladedanny (31st October 2011)

  8. #5

    Join Date
    Sep 2008
    Location
    Durham
    Posts
    129
    Thank Post
    2
    Thanked 30 Times in 28 Posts
    Rep Power
    25
    Quote Originally Posted by SYNACK View Post
    The more you have the longer it takes to process them.
    Testing has shown that for it to have any appreciable effect, you need to be applying hundreds of GPOs. In real terms, very few of us will ever notice.

  9. #6

    featured_spectre's Avatar
    Join Date
    Nov 2008
    Posts
    12,503
    Thank Post
    1,684
    Thanked 2,054 Times in 1,491 Posts
    Blog Entries
    2
    Rep Power
    464
    I usually have around 15-20 GPOs per ou, depending on what's needed...the vast majority are computer ou's that apply to most groups.

  10. Thanks to featured_spectre from:

    bladedanny (31st October 2011)

  11. #7

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,529
    Thank Post
    527
    Thanked 2,648 Times in 2,049 Posts
    Blog Entries
    24
    Rep Power
    925
    Having just deleted 500 GPOs on our system, leaving 120ish in use still, I will have to say - fewer is better...

  12. Thanks to localzuk from:

    bladedanny (31st October 2011)

  13. #8

    bladedanny's Avatar
    Join Date
    May 2009
    Location
    Sheffield
    Posts
    1,314
    Thank Post
    191
    Thanked 313 Times in 234 Posts
    Rep Power
    171
    Thanks all,

    On the network I've inherited it's a mixture of both, some OUs have one far all and some OUs have many doing little things. Basically it's a bit of a mess so I'm going to be starting from scratch with 2008r2 and think I'll go down the Many route.

    Thanks again,

  14. #9
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,477
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    53
    HI

    I would say a gpo for each thing

    eg student lock down one policy
    deploy spftware one policy per program
    lock down windows 7 computers one policy.

    Design your ou's structure so that it matches the needs of your organisation. Make it simple and name ou's and the policies so if you are sick or leave another tech knows how things work. Have a naming structure for staff and student accounts plus computers and stick to it.

    Richard

  15. #10

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    We use a GPO for each thing (1 for staff users, 1 for students, 1 for workstations, 1 for each printers, 1 for each software etc) and makes management nice and easy. Now if we need to add a printer or some software it takes a quick click or two to link the related GPO.

  16. #11

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    Domain GPO for some global settings but then everything else has its own appropriately named GPO.

    Assigned Application – xxxx, Desktop – xxxx, Security – xxxxx, Internet Explorer – xxxx, Firewall – xxxx, etc…

    This way it’s a lot easier for you (and anyone else in the future) to see what GPO’s are in place and to manage the settings.


    I would strongly recommend editing each of your GPO’s to reduce logon time this made a noticeable difference for us:

    GPO Status – If a GPO only has User or Computer settings and not both then disable the one not in use.

    Add / Remove templates – Remove any administrative templates from a GPO that are not in use.

  17. #12
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,401
    Thank Post
    93
    Thanked 48 Times in 34 Posts
    Rep Power
    31
    Quote Originally Posted by ToyHeartsFan View Post
    Domain GPO for some global settings but then everything else has its own appropriately named GPO.

    Assigned Application – xxxx, Desktop – xxxx, Security – xxxxx, Internet Explorer – xxxx, Firewall – xxxx, etc…

    This way it’s a lot easier for you (and anyone else in the future) to see what GPO’s are in place and to manage the settings.


    I would strongly recommend editing each of your GPO’s to reduce logon time this made a noticeable difference for us:

    GPO Status – If a GPO only has User or Computer settings and not both then disable the one not in use.

    Add / Remove templates – Remove any administrative templates from a GPO that are not in use.
    We are trying to speed up our logon processing and was recently advises to reduce the number of GPO's even though I don't think we have that many.
    On the Computer side we have around 16 - but only 10 apply after WMI filtering for the OS:
    And on the User side we have around 22 - but only 11 apply after WMI filtering for the OS:

    I've just been through every GPO and deleted all the old ones and also disabled either USER or COMPUTER part.

    I do have a couple of questions though:

    1. You state editing each of your GPO's to reduce logon time ! - what do you mean by this? I'm only applying (hopefully) settings which are required - so would rather not take them out !
    2. Add / Remove templates - remove any admin templates from the GPO that are not in use - can this be done on a per GPO item or is this a global setting? Again I have only a few admin templates applied but they seem to be in every GPO I don't want to remove them from one and find it goes from all

    Cheers

  18. #13

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,529
    Thank Post
    527
    Thanked 2,648 Times in 2,049 Posts
    Blog Entries
    24
    Rep Power
    925
    I don't know whether you have done this or not, but if you have GPOs which only apply computer settings or only user settings, make sure you change the GPO Status under 'Details' in Group Policy Manager to 'user configuration settings disabled' or 'computer configuration settings disabled' etc...

    I didn't bother with this all the time, as it didn't seem to make much difference, but I just changed this on half a dozen GPOs here and start up time went from 2 minutes to 1 minute on our machines.

  19. #14

    Join Date
    Sep 2010
    Posts
    228
    Thank Post
    3
    Thanked 36 Times in 33 Posts
    Rep Power
    16
    Quote Originally Posted by kennysarmy View Post

    You state editing each of your GPO's to reduce logon time ! - what do you mean by this? I'm only applying (hopefully) settings which are required - so would rather not take them out !

    Can this be done on a per GPO item or is this a global setting?
    Cheers
    Hi

    No dont take out any settings that are required just try not to duplicate settings e.g if you set internet settings in the default domain policy but override them for certain users (eg different home page, different proxy settings etc...) because doing this will increase the time it takes to process. Although the time difference might be very small if you have a lot of GPOs it can add up.

    Yes you can remove admin templates per GPO - I would copy one of your GPOs and try it on the copy before you do it on the live GPO so that you know your not removing an admin template you need within that GPO. For example the GPOs we use to deploy software dont need any settings in any of the admin templates so we can remove all of the admin templates from those GPOs. - This made a difference for us but it depends how many GPOs you have, how fast your network is, the load on your servers etc...

    The other thing that helped us a bit was to edit our logon script so where ever possible I removed any reference to a specific server and replaced it with the logon server variable
    eg replaced: net time %server1% /set /yes
    with: net time %LOGONSERVER% /set /yes
    so the workstation doesnt have to wait for another server before it can continue to process the logon script

    I think the thing that slows our logons down the most now is the way we deploy printers using the logon script, the printers are deleted and then installed at logon which slows things down a bit but means we can change printer allocation very easily.



SHARE:
+ Post New Thread

Similar Threads

  1. Floor Covering Ideas: One Or Two Caught My Eye
    By DaveP in forum General Chat
    Replies: 1
    Last Post: 13th April 2010, 10:31 AM
  2. One Or Zero LDAP setup
    By WithoutMotive in forum Windows
    Replies: 2
    Last Post: 25th April 2009, 09:50 AM
  3. One Or Zero locking out Administrator
    By WithoutMotive in forum How do you do....it?
    Replies: 0
    Last Post: 15th September 2008, 01:26 PM
  4. One Or Zero (again)
    By MK-2 in forum How do you do....it?
    Replies: 4
    Last Post: 27th April 2007, 03:36 PM
  5. One or Zero Helpdesk
    By wesleyw in forum How do you do....it?
    Replies: 8
    Last Post: 18th October 2006, 09:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •