+ Post New Thread
Results 1 to 13 of 13
Windows Thread, GPO Advice in Technical; Hi all I was wondering how you approach GPO's, do you group similar settings into one GPO, for example, internet ...
  1. #1

    Join Date
    Nov 2009
    Posts
    81
    Thank Post
    59
    Thanked 2 Times in 2 Posts
    Rep Power
    10

    GPO Advice

    Hi all

    I was wondering how you approach GPO's, do you group similar settings into one GPO, for example, internet settings? Or do you have several GPO's applying various settings? Do you have separate GPO's for staff and pupils applying the same settings so that you can be more granular, for example, internet settings? I would guess that if you have a policy applying to both staff and pupils link it higher up in AD and more granular link lower down. My AD is setup quite granular as opposed to say all users\computers in one OU.
    I know there is a speed trade off to having too many GPO's applying so I was plumbing for the grouping similar settings together in separate GPO's but I would welcome any advice from anyone.

    Cheers

  2. #2
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,184
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46
    I mostly use groups for generic settings ie "Student Internet Settings" will set Homepage, Proxy, pop-up exceptions etc.

    For things like software installation and scripts I use individual ones.

  3. Thanks to fairm010 from:

    jertsy (13th May 2014)

  4. #3

    Join Date
    Nov 2009
    Posts
    81
    Thank Post
    59
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by fairm010 View Post
    I mostly use groups for generic settings ie "Student Internet Settings" will set Homepage, Proxy, pop-up exceptions etc.

    For things like software installation and scripts I use individual ones.
    Thanks, do you have a "staff internet settings" GPO too? I was thinking of doing this so that I could say let staff have a bit more freedom compared to the student's. i.e. less locked down internet settings for staff.

  5. #4
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,184
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46
    Yes, for example our "Staff Internet GPO" has some different proxy exceptions, opens two tabs, and some other pop up exceptions. Also our pupil policy does not allow the change of proxy settings and our staff one does.

  6. Thanks to fairm010 from:

    jertsy (13th May 2014)

  7. #5
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,478
    Thank Post
    515
    Thanked 287 Times in 263 Posts
    Rep Power
    81
    We do the same, we Have a Container which has the Restricted User group in it, from there GPO's are assigned by Internet Settings, Redirects for Profiles, Desktop Settings etc.

  8. Thanks to cpjitservices from:

    jertsy (13th May 2014)

  9. #6

    Join Date
    Nov 2009
    Posts
    81
    Thank Post
    59
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by fairm010 View Post
    Yes, for example our "Staff Internet GPO" has some different proxy exceptions, opens two tabs, and some other pop up exceptions. Also our pupil policy does not allow the change of proxy settings and our staff one does.
    Cool, one last question, is that linked to your staff top level OU and students GPO to your students top level OU? I'm just trying to get an idea as to where people link them as I have read different ideas on this. I want to enforce the interactive logon: do not display last username setting, I was thinking of doing this on the default domain policy as I would like it to be a domain wide thing. I just want to keep it simple really.

  10. #7

    Join Date
    Nov 2009
    Posts
    81
    Thank Post
    59
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by cpjitservices View Post
    We do the same, we Have a Container which has the Restricted User group in it, from there GPO's are assigned by Internet Settings, Redirects for Profiles, Desktop Settings etc.
    Thanks for the info, that seems quite logical to me.

  11. #8

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,124
    Thank Post
    418
    Thanked 314 Times in 265 Posts
    Rep Power
    153
    Quote Originally Posted by jertsy View Post
    Cool, one last question, is that linked to your staff top level OU and students GPO to your students top level OU? I'm just trying to get an idea as to where people link them as I have read different ideas on this. I want to enforce the interactive logon: do not display last username setting, I was thinking of doing this on the default domain policy as I would like it to be a domain wide thing. I just want to keep it simple really.
    Best practice is to leave the default domain policy as is and create new ones.

  12. Thanks to fiza from:

    jertsy (13th May 2014)

  13. #9
    fairm010's Avatar
    Join Date
    Jun 2010
    Location
    C:/Windows/System32/
    Posts
    1,184
    Thank Post
    47
    Thanked 152 Times in 133 Posts
    Rep Power
    46
    I don't edit the default domain policy, its best practice. For things like that I created a GPO at the top level of the domain and set all generic settings there. Things like "Do not display last username, default logon domain, always use custom wallpaper"

    And yes, students GPO is at the Students top level OU.

  14. Thanks to fairm010 from:

    jertsy (13th May 2014)

  15. #10

    Join Date
    Nov 2009
    Posts
    81
    Thank Post
    59
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by fiza View Post
    Best practice is to leave the default domain policy as is and create new ones.
    Brill, I will do that thanks.

  16. #11

    Join Date
    Jan 2013
    Posts
    79
    Thank Post
    20
    Thanked 10 Times in 10 Posts
    Rep Power
    6
    I guess it depends how large your network is and how many users/computer you are have running from the domain. If it's quite a large network, I would single out settings into individual gpos. That way you can easily tell if one is working and another is not. For a smaller network, then yeah, I would group them like people have said above - saves time and it's easy to apply

  17. #12

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,665
    Thank Post
    850
    Thanked 893 Times in 738 Posts
    Blog Entries
    9
    Rep Power
    328
    We tend to do something similar to...

    Code:
    School Users OU
    ----Internet GPO for All Users
    ----Security GPO for All Users
    ----Software Install GPO for All Users
    
    ----Staff Users Sub-OU
    --------Internet GPO for Staff Users
    --------Security GPO for Staff Users
    --------Software Install for Staff Users
    
    -----------Teachers Sub-OU
    ----------------Internet GPO for Teachers
    ----------------etc
    
    ----Student Users Sub-OU
    --------Internet GPO for Student Users
    --------Security GPO for Student Users
    --------Software Install for Student Users
    Obviously GPO's only actually exist where there is a need for a policy setting at that level (so there isn't actually a Teachers Internet GPO - but there could be if it was needed). Policies are set at the lowest common level. Computer Policies are disabled in User GPO's and User Policies disabled in Computer GPO's.

    As you say, it's a trade off between granular policy control and login/boot up speed.

  18. #13

    Oaktech's Avatar
    Join Date
    Jul 2011
    Location
    Bournemouth
    Posts
    2,807
    Thank Post
    774
    Thanked 547 Times in 427 Posts
    Rep Power
    260
    we have the following:
    computer settings classroom,
    computer settings offices
    computer settings laptop
    user settings folder redirection
    user settings staff UI
    user settings staff internet
    user settings student internet
    user settings sixthform internet
    user settings student UI
    user settings software restrictions
    user settings google staff (contains chrome and earth and update)
    user settings google students (contains chrome and earth and update)
    user settings google sysadmin
    user settings office2010

SHARE:
+ Post New Thread

Similar Threads

  1. GPO Advice
    By tommccann in forum Windows Server 2000/2003
    Replies: 4
    Last Post: 17th October 2010, 12:58 PM
  2. Curriculum Vitae - Any good advice?
    By tarquel in forum Educational IT Jobs
    Replies: 42
    Last Post: 5th January 2010, 08:59 PM
  3. GPO deployment advice needed
    By projector1 in forum Wireless Networks
    Replies: 2
    Last Post: 1st November 2006, 06:59 PM
  4. Deploy Software via GPO
    By ICTNUT in forum How do you do....it?
    Replies: 16
    Last Post: 4th July 2006, 04:09 PM
  5. Replies: 11
    Last Post: 27th September 2005, 12:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •