+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 R2 Thread, GPOs in Technical; Nice easy one, hopefully. I used to work for a very large company in education who did things a "certain ...
  1. #1

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,839
    Thank Post
    569
    Thanked 993 Times in 765 Posts
    Blog Entries
    15
    Rep Power
    460

    GPOs

    Nice easy one, hopefully.
    I used to work for a very large company in education who did things a "certain way" - this certain way was to pretty much mirror what RM did for CC3 (and later on, 4) - so GPO modelling on a vanilla setup was pretty much a mirror replacement for the CC3 systems they managed. In a nutshell, this is large single GPs per OU (so for computers in a certain area, they'd have a certain GP applied to them with just about everything else included).

    Before I worked in Education (and I'll admit it was easy to switch to working to the above method), I used to abide by the MS method, and even reading up now it appears as if this is still the preferred way; again in a nutshell, a policy was made very nearly per setting, so for instance you could have many many GPO's applied to OUs/security groups/containers such as one to do printer mapping, one to do drive mapping, one to do user security restrictions, one for station security, one for startup scripts, so on and so forth.

    The former method is very "clean" however not particularly easy to administer should you need to find a single GPO in one huge lump of settings unless you've gone OCD and documented each setting in each policy. So, what are people's methods here in this day and age?

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,564 Times in 1,248 Posts
    Rep Power
    339
    You need to get the right balance. I wouldn't recommend you have 100's of GPOs, but I wouldn't recommend you have one massive GPO either.

    For example, I typically have Curric GPO, Staff GPO and MIS GPOs and they're all very similar, but tweaked for that specific user group. These contain a fair few GPO settings which I know won't change at all or will change rarely.

    I then for example would create another GPO called Adobe Flash and link this GPO to each required OU. You then only need to edit the GPO once and this can save you a considerable amount of time, as the GPO is linked in the correct places. If you combined this into Curric GPO, Staff GPO and MIS GPO, you'd have to make the same change three times.

    I hope this is clear enough about getting the right balance and when to create a separate GPO.

  3. #3

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,697
    Thank Post
    143
    Thanked 542 Times in 486 Posts
    Rep Power
    148
    As above. Each GPO adds size to your sysvol, so you don't want hundreds of them, but managing a super policy is a swine. I don't do things quite as recommended - I have a few settings in the Default Domain Policy, things like turning off Autorun - I know this is then properly domain wide. I then have a separate GPO for Teachers, Admin staff, students, teacher PCs, student PCs. I then have lots of GPOs for things like running a particular fix or script, installing MSIs etc, that aren't left applied.

  4. #4

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593
    Going through some of the Minasi books and having watched a few of the seminars that were streamed I tended to the following for planning GPOs.

    Put everything you want into a super GPO as if you only have one computer and one user, then look at the differences in how you need different computers set up (i.e. software, security, etc) and then look at how you want different users set up.

    Where possible keep it as simple as you can, only do loop backs if there is no other way of doing things and then once you have finished planning go away and come back in a week to repeat the task ... see if you come up with the same policies.

    Then have a look at what is going to be scripted. Do any of the scripts replace or duplicate what is done in your GPOs?

    Then look at the startup and logon times. Is there a vast difference on the different computers and with different users? Can you see what makes the difference and is it acceptable?

    Finally, look at the policy settings / scripts which may change on a regular basis. These should be kept as independent of the other GPOs as you can to help with fault finding should anything go wrong when making changes.

    And then ... you've guessed it ... go through it all again, see if you made the same decisions for the same reasons ... and *then* try it on a test network. Rinse, repeat.

    And then put it into production.

  5. Thanks to GrumbleDook from:

    synaesthesia (13th March 2012)

  6. #5

    Join Date
    Dec 2009
    Posts
    250
    Thank Post
    5
    Thanked 28 Times in 26 Posts
    Rep Power
    14
    We have followed Microsofts approach pretty much down the line. Our domain currently has about 200 policies within. This sounds like it would be a pain to manage, but if they are named appropriately it really is quite simple. We would also have 2 different policies for Computer and User e.g.

    Windows7_BL (Computer Part)
    Windows7_BL (User Part)

    BL stands for baseline, once this is signed off, any further changes would be made to Windows7_Inc (Computer and User part respectively). This is so worst case scenario we could disable the _Inc policy and be left with a good set of policies.

    The theory is that our Baseline should rarely ever change.

    The reason we have this level of granularity is

    A) We have a change department, that we obviously have to go through to get a GPO change authrorised. It is a lot easier to negate risks if you're not having to change 1 single GPO with thousands of settings.
    B) We run a multiple domain setup, with a lot of our devices in a seperate domain from the users, so have seperate User Part\Computer Part policies with loopback works really well.
    C) GPO's can from time to time become corrupt, and although this can obviously be resolved by a restore, it has less impact if you don't have 1 huge GPO.
    D) Multiple people can work within Policy editor, without fear of impacting each other (as you would have with 1 policy)

  7. Thanks to Firefox from:

    synaesthesia (13th March 2012)

  8. #6

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    5,839
    Thank Post
    569
    Thanked 993 Times in 765 Posts
    Blog Entries
    15
    Rep Power
    460
    Cheers. Sounds like you're coping well with FITS, much common sense involved We're building from scratch, and I'm concentrating on the baseline stuff at the moment. Basic security things - dissallowing autoplay, document folder redirects etc. Just struggling with libraries but that's something else (in the w7 forum). We probably won't be going down the line of change departments due to the size of our team however any changes will be fully documented. Or else!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 8
    Last Post: 9th October 2006, 10:11 PM
  2. Deploy Software via GPO
    By ICTNUT in forum How do you do....it?
    Replies: 16
    Last Post: 4th July 2006, 04:09 PM
  3. location of msi install gpo
    By russdev in forum Windows
    Replies: 3
    Last Post: 17th October 2005, 08:23 AM
  4. Deploy the contents of a CAB file through GPO?
    By tosca925 in forum Windows
    Replies: 0
    Last Post: 16th October 2005, 12:46 PM
  5. Replies: 11
    Last Post: 27th September 2005, 12:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •