+ Post New Thread
Results 1 to 9 of 9
Windows Server 2008 R2 Thread, Group Policy: What's the proper way to do this? in Technical; I currently have 1 group policy object with about 30 different settings inside it and nothing else, is this the ...
  1. #1

    Join Date
    Feb 2014
    Posts
    20
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Group Policy: What's the proper way to do this?

    I currently have 1 group policy object with about 30 different settings inside it and nothing else, is this the proper way of doing this?

    I've been told I should have 30 different objects each unique to their own group policy rule.

    Now upon asking 'why?' I wasn't really given a proper answer by my colleague just that it makes things look a lot cleaner and easier to use in case I need to find something.

    This is a fair point and I understand it but I know my policy settings inside and out and I'm the only network admin at this particular site so it doesn't effect anyone else.

    The question that's on my mind now is: Does this effect performance? does having GPO with 30 rules inside it perform better than having 30 GPO's with a single rule in each?

    To put "performance" into perspective I'm just talking about general computer usability and network login times/GPO related network tasks in general etc
    Last edited by Jamie_Evans; 2nd June 2014 at 05:28 AM.

  2. #2
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,013
    Thank Post
    42
    Thanked 84 Times in 80 Posts
    Rep Power
    22
    You could time the computer startup and login and see if it acceptable. The reason for splitting the settings across different gpos is that you may need to exclude certain pcs/users on occassion. This is a bit more difficult with the 1 gpo.

  3. #3

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,059
    Thank Post
    592
    Thanked 1,036 Times in 794 Posts
    Blog Entries
    15
    Rep Power
    468
    It's quite a personal thing. I like to go half-half. For a setting with a lot of restrictions, of which a school is a great example, one GPO per setting is a bit silly. I group settings as required. Global workstation settings, global internet settings, staff, student, folder redirections, printer mappings.

  4. #4


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,646
    Thank Post
    229
    Thanked 865 Times in 743 Posts
    Rep Power
    297
    as above its easier to fault find if you have lots of gpo's with a few settings in than one with everything in it as you can just disable all policies on a user/group and reenable them one by one to find the fault. but by the same token if you have lots of small policies they may have contradictory settings in so you look at them and think why is/isnt it doing x my user policy says it should but a class 12 policy stops it from applying to kids in class 12 say. Personally i have a few sensible size ones but the number of settings in each varies wildly somme have 1 or 2 (so say just proxy settings that apply to everyone) some have more for instance my user policies but its all what your hapiest with really there is no right answer although too mahny policies can slow things down a bit so doing 1 policy per setting isnt good

  5. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    It depends how you look at it -

    If (like me), you have GPOs which have been tried/tested, it's just a case of creating a new GPO then importing all the relevant settings. Doing this once is easier than doing it 20 times for example.

    After this, further customisations (per OU), can be made. Generally I have less than 10 GPOs per OU, but I guess that's just my style.

    I've seen some networks with as many as 50 GPOs linked which I personally found too cluttered. I think a degree of compromise is needed, but only you can make that call.

  6. #6
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,829
    Thank Post
    918
    Thanked 422 Times in 355 Posts
    Blog Entries
    12
    Rep Power
    88
    I have GPO's in categories for example:

    Computer restrictions
    Proxy settings
    Folder Redirection
    Folder Redirection Fixes

    Each GPO can contain 1 to about 10 different tweaks.

    I havent seen any perfomance changes in using multiple GPO's, but you could probably test it using GPO modelling.

  7. #7

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,804
    Thank Post
    1,298
    Thanked 1,659 Times in 1,112 Posts
    Blog Entries
    22
    Rep Power
    507
    There is no 'right way' to do this, just whats best for you.

    In terms of performance there are a few things to consider. Group policy works by checking each GPO to check if anything has changed. So if you have one giant GPO and nothing has changed the machine can quickly verify that nothing needs to be done (so this is quick), if you have lots of small GPOs then the machine needs to check each one for changes (which apparently is a slower process). On the flip side, if you have one giant GPO and one thing changes, the machine reapplies the whole GPO (not just the changes - this is how Group Policy works) so this is a slow process, however if you have lots of small GPOs and one thing changes in one GPO then it only has to reapply that one GPO (this is quick).

    So really its a trade off, if you have fairly static settings then fewer, bigger GPOs is better for performance, if your settings change regularly then more, and smaller GPOs are better.

  8. #8
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,220
    Thank Post
    216
    Thanked 226 Times in 195 Posts
    Rep Power
    73
    As is mentioned above, there is not hard and fast way to do this. It's all down to personal preferences.

    I have a multitude of GPO's containing anything from one setting up to about 30! (generic student lockdowns). I think it helps with a good OU structure for where and what to put into your GPO's. Make sure you disable processing of the User Config section for GPO's that only have Computer Config settings for example.

    With the right layout, even having multiple settings in a GPO, it can still be easy to track a troublesome setting. I make use of the Group Policy Modelling Wizard quite frequently to see which settings are taking precedence.

    I would imagine that you would at the very least need 2 GPO's though, to cover the differences between staff and students? Unless you have all manner of WMI filters configured?

  9. #9

    Join Date
    Apr 2010
    Posts
    2,054
    Thank Post
    83
    Thanked 188 Times in 155 Posts
    Rep Power
    84
    Does this effect performance? does having GPO with 30 rules inside it perform better than having 30 GPO's with a single rule in each?
    When the GPO system was first introduced it did have a performance hit doing it one way rather than the other but that is not the case any more.

SHARE:
+ Post New Thread

Similar Threads

  1. [SIMS] What is the best way to make parent SLG accounts?
    By nLinked in forum MIS Systems
    Replies: 6
    Last Post: 24th November 2012, 02:29 AM
  2. [MS Office - 2010] What is the best way to roll out Office 2010 throughout the school?
    By bandgeekmafia78 in forum Office Software
    Replies: 9
    Last Post: 12th August 2011, 03:52 PM
  3. [Video] This is the proper way to fix RROD on xbox 360
    By nephilim in forum Jokes/Interweb Things
    Replies: 3
    Last Post: 23rd March 2011, 11:18 AM
  4. What's the correct way to connect PC->Amplifier->Speakers?
    By zx2012 in forum AV and Multimedia Related
    Replies: 6
    Last Post: 7th September 2009, 01:47 PM
  5. Replies: 18
    Last Post: 14th October 2008, 05:41 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •