Active Directory group policies can be very useful for lots of things but can there be too much of a good thing? What's the best practice for stopping users waiting an eternity befeore they finish logging in.
Should you use a monster GPO or a handful of well targeted policies, perhaps one on the user account OU and a loopback on PC room OU?
If your users are waiting an eternity for group policys to apply there is either something very wrong, or badly designed. The only place i use loopback on PC's is the staff laptops. I have 1 OU for the workstations with an ALL Workstations Policy., then a sub OU for each IT Suite. Then 1 group policy for each IT Suite to do unique to that room things. Same for Users.
Yeah- loopback is generally a bad idea. We actually use a loopback policy for applying proxy settings to users based on location (for our new filtering solution rolling out soon)- but the logon time have increased (only slightly) that I am now considering using a VBScript to apply the settings instead at logon (much faster).
So generally, loopback is a no for most people. Using one all encompassing "monster GPO" (I liked how you put that) is what CSE have been doing for our school for years, and I don't like it. It's harder to detect where GPOs are going wrong and makes changing them a nightmare (GPO inheritance). Splitting them up is OK, but you have to make sure that if you are applying a Group Policy setting in (say) the Users portion of the setting you disable the Computer section- that way you aren't wasting processing/logon time sifting through it all to find settings that should be applied. And it's actually best practise not to set both Computer and User settings in the same GPO.
Have a look at http://www.gpanswers.com for some valuable info on these issues.
Enjoy!
It's best practice to use several GPOs - each with a specific goal and placed at the highest level possible so that you keep duplication of settings to a minimum.
Loopback has always been a bit of a pain in the arse and is something I personally steer clear of.
If you are having slow logon problems, chances are that something else is amiss... profile problems and dodgy DNS spring to mind.
Loopback has been a pain for me too. Start Menu's are set via PC, and we also did internet restrictions but that's always the first to fall over.
Avoid loopback like the plague.
It is the bane of many a SysAdmin and causes countless hours of confusion as you try and work out what the bloody hell went wrong ... again!
As pointed out by others so far heirarchies of OUs with GPOs applied suffice for most things.
Another trick is not turn turn something on which you then have to turn off further down the chain. This is what can add those extra seconds / minutes to "applying personal settings" ...
If you can do something to the computer at startup then do so ... people tend not to see "applying computer settings" ... in fact once a day ... or not even that if you use WOL. The only problem is to remember that Laptops often have NICs that only turn on fully once the computer is fully started ... and may not pull down the latest computer setting at start up. If they are mobile laptops the remember to plug them into the wired LAN if you have done anything major to their settings ... likewise with staff laptops.
Another reason why logins are slow is not down to GPOs being applied but down to the profile ... keep you mandatory profiles lean and sleek ... make sure that if people are using roaming profiles you have enforced a quoat to stop them from being huge ("you mean we can't have all our files on the desktops? Not even the folder with videos of my daughter's nativity? But it is only 6GB!!!")
Thanks forall the replies. An great EduGeek thread IMHO.
To set the record straight logons aren't unbearably slow at my school but I just felt guilty that GPOs were might be great for me but less than optimum for the user experience.
Anyway, I am surprised by the all the negativity towards loopbacks as I once read they were what were used to make per room settings such as printer mappings.
I have never understood Loopbacks in GPO's - as sunch i dont use them.
I have various GPO's
A Pupil Policy applied to the root of the Users OU which contain the OUs for the year groups.
A seperate OU for software installs, for WSUS, ICT Staff, etc.
Thats what I use it for and touch wood I have had no issues.Anyway, I am surprised by the all the negativity towards loopbacks as I once read they were what were used to make per room settings such as printer mappings
I used loopback at the last place to apply per room printers to users and i must admit, it was a pain when it broke but generally it was fine.
Hey.
It's true- we shouldn't be too down on loopback processing, because it is a very good tool for assigning things like printers and proxy settings. We have been moving slowly to assigning printers via this method (loopback with merge) for some time and have had no problems. In general though you would keep things cleaner than using loopback processing if you can. I know someone who manages a very large (2000+) client network who uses loopback for printers and terminal services components and it works brilliantly!
Loopback is dead. Long live loopback!
*shrug*
You don't need to go the loopback route for assigning per room printers. Have a look at Ric's printer script in the scripts forum.
If you have to use loopback processing it's a sign that there's an easier way to do it.
I use loopback processing for assigning printers because I find it easier than using a VBS script. All you have to do drop a PC in an OU and bang, printer assigned. At least then you don't need to worry about editing VBS files and making sure the naming convention is identical.
I do my printer assignment in logon script, but based on OU of the PC - best of both worldsOriginally Posted by Norphy
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks