+ Post New Thread
Results 1 to 14 of 14
Windows Thread, GPOs with everything in Technical; Active Directory group policies can be very useful for lots of things but can there be too much of a ...
  1. #1

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    18

    GPOs with everything

    Active Directory group policies can be very useful for lots of things but can there be too much of a good thing? What's the best practice for stopping users waiting an eternity befeore they finish logging in.

    Should you use a monster GPO or a handful of well targeted policies, perhaps one on the user account OU and a loopback on PC room OU?

  2. #2
    Quackers's Avatar
    Join Date
    Jan 2006
    Posts
    1,309
    Thank Post
    40
    Thanked 141 Times in 116 Posts
    Rep Power
    53

    Re: GPOs with everything

    If your users are waiting an eternity for group policys to apply there is either something very wrong, or badly designed. The only place i use loopback on PC's is the staff laptops. I have 1 OU for the workstations with an ALL Workstations Policy., then a sub OU for each IT Suite. Then 1 group policy for each IT Suite to do unique to that room things. Same for Users.

  3. #3

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: GPOs with everything

    Yeah- loopback is generally a bad idea. We actually use a loopback policy for applying proxy settings to users based on location (for our new filtering solution rolling out soon)- but the logon time have increased (only slightly) that I am now considering using a VBScript to apply the settings instead at logon (much faster).

    So generally, loopback is a no for most people. Using one all encompassing "monster GPO" (I liked how you put that) is what CSE have been doing for our school for years, and I don't like it. It's harder to detect where GPOs are going wrong and makes changing them a nightmare (GPO inheritance). Splitting them up is OK, but you have to make sure that if you are applying a Group Policy setting in (say) the Users portion of the setting you disable the Computer section- that way you aren't wasting processing/logon time sifting through it all to find settings that should be applied. And it's actually best practise not to set both Computer and User settings in the same GPO.

    Have a look at http://www.gpanswers.com for some valuable info on these issues.

    Enjoy!

  4. #4

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: GPOs with everything

    It's best practice to use several GPOs - each with a specific goal and placed at the highest level possible so that you keep duplication of settings to a minimum.

    Loopback has always been a bit of a pain in the arse and is something I personally steer clear of.

    If you are having slow logon problems, chances are that something else is amiss... profile problems and dodgy DNS spring to mind.

  5. #5
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: GPOs with everything

    Loopback has been a pain for me too. Start Menu's are set via PC, and we also did internet restrictions but that's always the first to fall over.

  6. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593

    Re: GPOs with everything

    Avoid loopback like the plague.

    It is the bane of many a SysAdmin and causes countless hours of confusion as you try and work out what the bloody hell went wrong ... again!

    As pointed out by others so far heirarchies of OUs with GPOs applied suffice for most things.

    Another trick is not turn turn something on which you then have to turn off further down the chain. This is what can add those extra seconds / minutes to "applying personal settings" ...

    If you can do something to the computer at startup then do so ... people tend not to see "applying computer settings" ... in fact once a day ... or not even that if you use WOL. The only problem is to remember that Laptops often have NICs that only turn on fully once the computer is fully started ... and may not pull down the latest computer setting at start up. If they are mobile laptops the remember to plug them into the wired LAN if you have done anything major to their settings ... likewise with staff laptops.

    Another reason why logins are slow is not down to GPOs being applied but down to the profile ... keep you mandatory profiles lean and sleek ... make sure that if people are using roaming profiles you have enforced a quoat to stop them from being huge ("you mean we can't have all our files on the desktops? Not even the folder with videos of my daughter's nativity? But it is only 6GB!!!")

  7. #7

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    18

    Re: GPOs with everything

    Thanks forall the replies. An great EduGeek thread IMHO.

    To set the record straight logons aren't unbearably slow at my school but I just felt guilty that GPOs were might be great for me but less than optimum for the user experience.

    Anyway, I am surprised by the all the negativity towards loopbacks as I once read they were what were used to make per room settings such as printer mappings.

  8. #8

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    Re: GPOs with everything

    I have never understood Loopbacks in GPO's - as sunch i dont use them.
    I have various GPO's

    A Pupil Policy applied to the root of the Users OU which contain the OUs for the year groups.
    A seperate OU for software installs, for WSUS, ICT Staff, etc.

  9. #9
    Guest

    Re: GPOs with everything

    Anyway, I am surprised by the all the negativity towards loopbacks as I once read they were what were used to make per room settings such as printer mappings
    Thats what I use it for and touch wood I have had no issues.

  10. #10

    Join Date
    Aug 2005
    Location
    Birmingham, UK
    Posts
    490
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: GPOs with everything

    I used loopback at the last place to apply per room printers to users and i must admit, it was a pain when it broke but generally it was fine.

  11. #11

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: GPOs with everything

    Hey.

    It's true- we shouldn't be too down on loopback processing, because it is a very good tool for assigning things like printers and proxy settings. We have been moving slowly to assigning printers via this method (loopback with merge) for some time and have had no problems. In general though you would keep things cleaner than using loopback processing if you can. I know someone who manages a very large (2000+) client network who uses loopback for printers and terminal services components and it works brilliantly!

    Loopback is dead. Long live loopback!

  12. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: GPOs with everything

    *shrug*

    You don't need to go the loopback route for assigning per room printers. Have a look at Ric's printer script in the scripts forum.

    If you have to use loopback processing it's a sign that there's an easier way to do it.

  13. #13
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,227
    Thank Post
    50
    Thanked 271 Times in 209 Posts
    Blog Entries
    6
    Rep Power
    108

    Re: GPOs with everything

    I use loopback processing for assigning printers because I find it easier than using a VBS script. All you have to do drop a PC in an OU and bang, printer assigned. At least then you don't need to worry about editing VBS files and making sure the naming convention is identical.

  14. #14

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,224
    Thank Post
    54
    Thanked 276 Times in 184 Posts
    Rep Power
    133

    Re: GPOs with everything

    Quote Originally Posted by Norphy
    I use loopback processing for assigning printers because I find it easier than using a VBS script. All you have to do drop a PC in an OU and bang, printer assigned. At least then you don't need to worry about editing VBS files and making sure the naming convention is identical.
    I do my printer assignment in logon script, but based on OU of the PC - best of both worlds

SHARE:
+ Post New Thread

Similar Threads

  1. Laptops don't get all GPOs
    By bizzel in forum Windows
    Replies: 0
    Last Post: 29th November 2007, 10:57 AM
  2. GPOs combined with mandatory profile
    By edsa in forum Network and Classroom Management
    Replies: 7
    Last Post: 31st October 2007, 10:40 PM
  3. GPOs and managing computers
    By sparkeh in forum Wireless Networks
    Replies: 7
    Last Post: 18th July 2007, 09:47 AM
  4. Copying GPOs...How?
    By HodgeHi in forum Windows
    Replies: 4
    Last Post: 24th November 2006, 11:10 AM
  5. Replies: 25
    Last Post: 1st September 2006, 07:39 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •