+ 1 "Good descriptions will go a long way too" +1 bazillion! I use the description field and as much of it as possible.
From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, August 07, 2009 2:22 AM To: NT System Admin Issues Subject: Re: GPO for a single user +1 on the "one GPO, one function" rule. I apply it to security groups as well. Nothing worse than deleting something and finding it does something other than "what it says on the tin" - as I found when I removed a distribution group only to realise it had been used to provide permissons (!) on an intranet site. Good descriptions will go a long way too. I try and show from the name/description what a GPO does, what scope of users/computers it applies to, and whether there is any item-level targeting. Makes it a hell of a lot easier for someone to follow your work when you finally leave. 2009/8/7 Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> I've worked in organisations with tens of thousands of users (currently on a project to migrate around 100,000 users to a consolidated AD), and they consequently have many, many GPOs. A good naming convention is pretty much all I've seen that is needed. Splitting GPOs up so that they only do one particular thing (e.g. software distribution, or admin settings) is a good start. You may wish to separate computer and user settings as well. Then you can have (for example) Software-Computer-ApplicationName.VersionNumber For all your software GPOs that apply by computer. All of the software related GPOs are grouped together, and then by computer or user, and then they are sorted by application name and version. Relatively easy to find. Now, you might have a lot of apps distributed this way, so you'll want some GPOs that distribute common groups of apps, and you can create those GPOs as well. For your WSUS building thing: Admin Settings-Computer-WSUS-SiteCode1-L1 Admin Settings-Computer-WSUS-SiteCode1-L2 Admin Settings-Computer-WSUS-SiteCode1-L3 Admin Settings-Computer-WSUS-SiteCode2-L1 Would sort those in a manner that would be relatively easy to locate things in. Cheers Ken From: tony patton [mailto:tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com>] Sent: Thursday, 6 August 2009 6:40 PM To: NT System Admin Issues Subject: RE: GPO for a single user That's what we do, but different conventions over the years as things increase just gets messy. We have policies for different departments/sites, production/test, software installs/reg changes, wsus, desktops/servers, etc. The majority of settings are in the default policy, but there are a lot that are not. For WSUS, I wanted to split up the buildings on each site by IP range to distribute the installation to different departments. An example of this is 1 department requires IE7 for a webapp, but another department's webapp is only supported by the vendor on IE6. There is very little cross-contamination of departments within the same section of the buildings. I started with the most recent office opened, 3 floors, 6 IP ranges, so I ended up with 6 GPO's and 6 WMI filters just for the target group in WSUS. Did 1 more site with 4 scopes and never got round to doing the rest of them. The ranges are from 2 to 11 different IP ranges across 8 sites. A lot of moving about to check different settings, just would be nice to have OU's for gpo's and wmi's, just for visibility, easier to see all the related policies without everything else. Thought something like this would have made it into WS08, but unfortunately not, not that we'll be upgrading anytime soon, there was a project in motion to do this but it's been side-lined for one reason or another, think it came down to having to purchase new cals for 2800 desktops, not 100% sure. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com> Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> 06/08/2009 10:16 Please respond to "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> To "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> cc Subject RE: GPO for a single user Most people use a naming convention to have the list sorted, and this tends to "group" the GPOs. What sorts of things are you imagining for grouping? Cheers Ken From: tony patton [mailto:tony.pat...@quinn-insurance.com] Sent: Thursday, 6 August 2009 4:02 PM To: NT System Admin Issues Subject: Re: GPO for a single user I'd just be happy with a way to organise GPOs and WMI Filters, instead of a big flat messy list of both. It would be nice to have them grouped in some logical fashion. Regards Tony Patton Desktop Operations Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com<mailto:tony.pat...@quinn-insurance.com> Ben Scott <mailvor...@gmail.com<mailto:mailvor...@gmail.com>> 05/08/2009 18:14 Please respond to "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> To "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> cc Subject Re: GPO for a single user On Wed, Aug 5, 2009 at 1:02 AM, Ken Schaefer<k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: > Sorry, but I'm failing to see why this particular feature request > is one that should go in, but inevitable requests for additional > extensions to the functionality should not :-) Because I said so, of course. ;-) To me, it's a combination of the zero-one-infinity rule, and a more fuzzy concept that I'm finding hard to articulate, but has something to do with the fact that it makes sense to be able to apply things individually or in groups. We already have a mechanism for groups, but nothing for individuals (except a degenerate case of groups). I guess I'm thinking along the lines of HKCU vs HKLM registry settings, or /etc/profile vs $HOME/.profile for the Unix shell, etc. Like I said, I'm having trouble articulating this, but I'm pretty sure there's a difference. (I have a reason. Just give me a minute to think of one. ;-) ) Come to think of it, it probabbly would have made more conceptual sense for the design to have GPO application be driven by groups to begin with, with OUs being irrelevant for GPOs. We end up applying GPOs based on group membership a lot anyway, so why not just make that how it works? (I realize that may have been a performance issue, or a code maintenance issue due to all the crufty old NTLM code that still's around. I also realize this is 20/20 hindsight.) -- Ben -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~