GPO – Best Practices

Endpoint Central | January 23, 2006 | 2 min read

Group Policy Objects (GPO) Best Practices

I thought it would be interesting and useful to write about ‘GPO Best Practices’ as the first topic of the year. Microsoft recommends Active Directory and GPO for windows desktop management. GPO is made available from Windows 2000 based domains. Built in tools provided by Microsoft are used for GPO management, Gpedit in the case of windows 2000 and GPMC for 2003. Inefficient management of GPO can bring negative impact on the network, it can slow down the logon process, do configuration overlaps etc. so, these ‘GPO best practices’ would be useful in designing better GPO infrastructure.

Here is the traditional way of thinking about the best practices about GPOs.

Quote:
GPO Best Practices* Plan well before you go ahead with GPO implementation. GPO is a swiss knife, wrong handling could cause severe damages* Differentiate production and test environment. Don’t combine and choose a risky play ground.

* Use small GPOs for easier management. Think about rollback, File replications etc.,

* Make sure you have very few administrators who can work with GPO. Too many cooks can spoil the soup

* Proper naming conventions for GPOs are important for easier management. Baptize your configuration.

* Use GPMC for better results. It has RSoP

The list can go grow with specific scenarios. Here are some ‘GPO Best Practices’ referrals from Microsoft and John Howard blog.

Best practices link from Microsoft

http://blogs.technet.com/jhoward/archive/2005/01/23/359071.aspx

John Howard is one of my favourite blogger. In the given link he has mentioned lot of links related to GPO best practices.

In the case of large enterprise, chances of geting GPO problems is high, since there will be bunch of IT service professionals who has permissions to meddle with GPOs which can confuse and overlap the policies. It is very essentioal to have utmost care for GPO management in large enterprises. There are many tools available in market for GPO and configuration management.

But it would be best, if we get to know Managing Group Policy in a large enterprise environment. Check out the Microsoft link which talks about the GPO infrastructure Management at Microsoft. (pretty new :wink:, August 05) In this white paper Microsoft IT, shares its experience and recommendations of GPO. However, there is a explicit warning that the informations are not to be considered as procedural guidelines. You know, perhaps every enterprise has its own needs.

Here are some interesting information about the AD network of Microsoft IT, the data given here correspond to the production environment.

Quote:
* Single Forest and 9 Domains (a total of 6 forests and 20 AD domains)* Each domain has 7 to 30 Domain Controllers

* The IT integrated IAM is responsible for Designing AD and GPO

* They maintain 900 Individual GPO and Approve global GPOs

* GPO is most widely used for

— Password policy and auditing

— Event log settings

— Compliance

— XP Firewall settings

— Access Control for code repository

— Testing new configurations etc.,

From a administrator’s point of view, i would encourage to collect and read such successful IT implementations of GPO infrastructure for clear understanding and to evolve a better design for your own unique setup. Please feel free to post any of your GPO best practices or success stories of GPO implementors, for others can also learn and make use of it.

~ romanus ~