Dan-
The decision to separate out policy settings into different
GPOs should be made based on who will be managing those GPOs. If you have
separate teams or people that need to manage WSUS settings but not LCS settings,
then it will be easier to delegate access to those settings if they are in
separate GPOs. However, if not, then your overriding goal is to generally keep
the number of GPOs to a minimum number that meets your business needs. If you
take the "separate GPO for each setting type" approach, you will quickly have
hundreds of GPOs over time. So let the management of the GPOs drive how granular
or monolithic you make them.
Also, one quick point
on your comments below. You talk about placing all these policies in a created
OU called "GPOs". GPOs don't reside in OUs. They can be linked to OUs, but they
are stored per-domain and don't need to be linked to anything to be managed.
This is where using the GPMC to manage your GP infrastructure comes in
handy, because it shows you all GPOs defined in a domain, and then it shows you
the links to those GPOs on a per-container basis.
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips,
tools and whitepapers. Also check out the Windows
Group Policy Guide, a soup-to-nuts resource for Group Policy
information.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cariglia,
DanielSent: Wednesday, May 24, 2006 8:07 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Best practice
GPO's
Hello,
What is the best practice for applying policy in AD? Currently we create a GPO for every
separate “policy” we want to apply (WSUS, DNS search order, LCS and so on…) and
we place all these policies in a created OU called “GPO’s” and link that to
different OU’s as needed. My
question is are we better off to stay with this method or should we limit the
number of GPO’s and combine policies into one GPO? For example should we take the policy
settings from WSUS, DNS and LCS and put them into one (1) GPO instead of the
three (3) separate policies that are currently being
applied?
It seems easier to manage them when they
are separated by function. I am curious if I am missing something that will
cause issues down the road as the numbers of policies will most likely increase
significantly in the future as we try to reign in the desktops and the
users. Thank you in advance for all
responses.
Dan