+ Post New Thread
Results 1 to 13 of 13
Windows Server 2008 Thread, group policy best practice in Technical; What's best to have hundreds of gp or less larger ones with multiple configurations in them? Its getting a bit ...
  1. #1

    Join Date
    Feb 2008
    Posts
    325
    Thank Post
    51
    Thanked 3 Times in 3 Posts
    Rep Power
    14

    group policy best practice

    What's best to have hundreds of gp or less larger ones with multiple configurations in them? Its getting a bit messy? How can I search / tag gpo to make it more managable?


    Thanks

  2. #2

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,904
    Thank Post
    1,626
    Thanked 1,892 Times in 1,406 Posts
    Blog Entries
    2
    Rep Power
    428
    I found few larger gpo's served me better than several small ones. Reason being is that I can create larger ones to cover all needs.

  3. #3

    Join Date
    Oct 2008
    Location
    Lincolnshire
    Posts
    2,189
    Thank Post
    13
    Thanked 226 Times in 216 Posts
    Rep Power
    66
    I find less better.

    We have a baseline computer and user one and work from there, i.e. if a department needs extra settings and it cannot be done on the baseline we then create an incremental one from there.

    Keep as much of it in the one policy as you can because we found processing time when logging on was quicker. We run many branch sites without DC's so we ran into some problems and found that linking them into one policy made it quicker.

  4. #4


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,858
    Thank Post
    226
    Thanked 2,662 Times in 1,962 Posts
    Rep Power
    784

  5. 2 Thanks to Arthur:

    dalsoth (28th December 2010), gaz350 (31st December 2010)

  6. #5
    Richie1972's Avatar
    Join Date
    Apr 2006
    Location
    Blackburn
    Posts
    239
    Thank Post
    2
    Thanked 6 Times in 6 Posts
    Rep Power
    18
    As few as possible is the best way - less confusion and easier to manage. It's even better with Server 2008 and item level targetting.
    I have one main computer and user policy, one policy for staff, one for students (both these just have a couple of items in that i caouldn't do so easily from the one policy, plus one for the servers. There may be a couple of other minor policies, but that's it.

  7. #6

    Join Date
    Feb 2008
    Posts
    325
    Thank Post
    51
    Thanked 3 Times in 3 Posts
    Rep Power
    14
    So for software deployment you my have 20 msi in 1 gp to deploy?

    Thanks for the responce

  8. #7
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    Am I the only one who thinks that it's simpler to have more GPOs? I find it more straight forward to have GPO do a function, or group of functions, name the GPO after what it does prefixing them to differentiate between application settings, user settings, computer settings etc.

    There might be an overhead on replication and GPO application but it means that it's easier to track changes via the modification dates, easier to find something when i've forgotten where I made the change, and if I were hit by a bus my replacement could look at the GPO names and structures and get an instant idea about how everything is actually setup.

  9. #8

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,875
    Thank Post
    351
    Thanked 1,285 Times in 877 Posts
    Blog Entries
    4
    Rep Power
    1128
    Quote Originally Posted by morganw View Post
    Am I the only one who thinks that it's simpler to have more GPOs? I find it more straight forward to have GPO do a function, or group of functions, name the GPO after what it does prefixing them to differentiate between application settings, user settings, computer settings etc.

    There might be an overhead on replication and GPO application but it means that it's easier to track changes via the modification dates, easier to find something when i've forgotten where I made the change, and if I were hit by a bus my replacement could look at the GPO names and structures and get an instant idea about how everything is actually setup.
    You are not alone. This is pretty much how I manage our GPOs. Each GPO is named after its function. As you say it is easier to track changes [and track down problems] working with GPOs this way.

    Or at least I think so.

  10. #9
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,028
    Thank Post
    97
    Thanked 158 Times in 107 Posts
    Rep Power
    58
    aye, I have seperate GPOs for all software installations, that way it's easier to deploy software in small doses. This was useful when I recently deployed Adobe Reader X to just one area of the school and had a few errors reported to me that I hadn't seen during testing on our machines. It was easy to roll it back to the older version and the amount of users it affected was minimised.

  11. #10

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Quote Originally Posted by DrCheese View Post
    aye, I have seperate GPOs for all software installations, that way it's easier to deploy software in small doses.
    You can do this with a single GPO by editing the ACLs on individual bits of software inside the GPO and only allowing access to particular computer accounts/groups. That's the way we did software installation at my last school, and I did the same here until I switched to deploying through System Center. We had around 80 different MSIs in one GPO and it worked just fine for us.

    I subscribe to the fewer GPOs theory. I split mine up so that user and computer settings are separate, and I then have a hierarchy of settings, e.g. 1 GPO with global settings that apply to all computers, then separate ones for settings that only apply to Servers and Workstations (or particular types of workstations).

  12. #11

    Little-Miss's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    5,533
    Thank Post
    2,376
    Thanked 749 Times in 458 Posts
    Blog Entries
    2
    Rep Power
    542
    I've started Prefixing mine [Software], [Power Settings] etc (I cant think of anymore lol my brain has turned to mush over xmas!)

  13. #12
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,655
    Thank Post
    164
    Thanked 218 Times in 201 Posts
    Rep Power
    67
    Ours were originally one big policy but some newer ones I've put separately plus the best practice for password policy GPOs etc.

    As for software deployment I avoid GPOs for that and use SCCM

  14. #13

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,904
    Thank Post
    1,626
    Thanked 1,892 Times in 1,406 Posts
    Blog Entries
    2
    Rep Power
    428
    Might have to do that for staff GPOs, prefix them so they are set up with configs and have several!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 8
    Last Post: 22nd June 2010, 11:12 AM
  2. Group Policy
    By Iain.Faulkner in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 30th April 2009, 04:16 PM
  3. Group Policy
    By jman167 in forum Windows
    Replies: 1
    Last Post: 28th June 2007, 10:27 PM
  4. Group policy etc
    By moiebus in forum Wireless Networks
    Replies: 20
    Last Post: 8th November 2006, 11:48 PM
  5. Group Policy
    By faza in forum Windows
    Replies: 15
    Last Post: 23rd May 2006, 09:39 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •