I was wondering how you approach GPO's, do you group similar settings into one GPO, for example, internet settings? Or do you have several GPO's applying various settings? Do you have separate GPO's for staff and pupils applying the same settings so that you can be more granular, for example, internet settings? I would guess that if you have a policy applying to both staff and pupils link it higher up in AD and more granular link lower down. My AD is setup quite granular as opposed to say all users\computers in one OU.
I know there is a speed trade off to having too many GPO's applying so I was plumbing for the grouping similar settings together in separate GPO's but I would welcome any advice from anyone.
I mostly use groups for generic settings ie "Student Internet Settings" will set Homepage, Proxy, pop-up exceptions etc.
For things like software installation and scripts I use individual ones.
Thanks, do you have a "staff internet settings" GPO too? I was thinking of doing this so that I could say let staff have a bit more freedom compared to the student's. i.e. less locked down internet settings for staff.
Originally Posted by fairm010
Yes, for example our "Staff Internet GPO" has some different proxy exceptions, opens two tabs, and some other pop up exceptions. Also our pupil policy does not allow the change of proxy settings and our staff one does.
We do the same, we Have a Container which has the Restricted User group in it, from there GPO's are assigned by Internet Settings, Redirects for Profiles, Desktop Settings etc.
Cool, one last question, is that linked to your staff top level OU and students GPO to your students top level OU? I'm just trying to get an idea as to where people link them as I have read different ideas on this. I want to enforce the interactive logon: do not display last username setting, I was thinking of doing this on the default domain policy as I would like it to be a domain wide thing. I just want to keep it simple really.
Originally Posted by fairm010
Thanks for the info, that seems quite logical to me.
Originally Posted by cpjitservices
Best practice is to leave the default domain policy as is and create new ones.
Originally Posted by jertsy
I don't edit the default domain policy, its best practice. For things like that I created a GPO at the top level of the domain and set all generic settings there. Things like "Do not display last username, default logon domain, always use custom wallpaper"
And yes, students GPO is at the Students top level OU.
Brill, I will do that thanks.
Originally Posted by fiza
I guess it depends how large your network is and how many users/computer you are have running from the domain. If it's quite a large network, I would single out settings into individual gpos. That way you can easily tell if one is working and another is not. For a smaller network, then yeah, I would group them like people have said above - saves time and it's easy to apply :)
We tend to do something similar to...
Obviously GPO's only actually exist where there is a need for a policy setting at that level (so there isn't actually a Teachers Internet GPO - but there could be if it was needed). Policies are set at the lowest common level. Computer Policies are disabled in User GPO's and User Policies disabled in Computer GPO's.
School Users OU
----Internet GPO for All Users
----Security GPO for All Users
----Software Install GPO for All Users
----Staff Users Sub-OU
--------Internet GPO for Staff Users
--------Security GPO for Staff Users
--------Software Install for Staff Users
----------------Internet GPO for Teachers
----Student Users Sub-OU
--------Internet GPO for Student Users
--------Security GPO for Student Users
--------Software Install for Student Users
As you say, it's a trade off between granular policy control and login/boot up speed.
we have the following:
computer settings classroom,
computer settings offices
computer settings laptop
user settings folder redirection
user settings staff UI
user settings staff internet
user settings student internet
user settings sixthform internet
user settings student UI
user settings software restrictions
user settings google staff (contains chrome and earth and update)
user settings google students (contains chrome and earth and update)
user settings google sysadmin
user settings office2010