Re: [ActiveDir] Best practice GPO's

[Timo Ed]

Dan, I agree with Darrens comments but will add that as general rule
its better to include all setting in one GPO and unlock settings for
individual requirements with single GPOs, rather than the other way
around as it seems you are doing it.

Rgds,
Tim


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Best practice GPO's

[Darren Mar-Elia]

Dan-
The decision to separate out policy settings into different 
GPOs should be made based on who will be managing those GPOs. If you have 
separate teams or people that need to manage WSUS settings but not LCS settings, 
then it will be easier to delegate access to those settings if they are in 
separate GPOs. However, if not, then your overriding goal is to generally keep 
the number of GPOs to a minimum number that meets your business needs. If you 
take the "separate GPO for each setting type" approach, you will quickly have 
hundreds of GPOs over time. So let the management of the GPOs drive how granular 
or monolithic you make them. 
 
Also, one quick point 
on your comments below. You talk about placing all these policies in a created 
OU called "GPOs". GPOs don't reside in OUs. They can be linked to OUs, but they 
are stored per-domain and don't need to be linked to anything to be managed. 
This is where using the GPMC to manage your GP infrastructure comes in 
handy, because it shows you all GPOs defined in a domain, and then it shows you 
the links to those GPOs on a per-container basis. 

 
Darren
 
 

Darren Mar-Elia
For comprehensive 
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, 
tools and whitepapers. Also check out the Windows 
Group Policy Guide, a soup-to-nuts resource for Group Policy 
information.
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Cariglia, 
DanielSent: Wednesday, May 24, 2006 8:07 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Best practice 
GPO's


Hello,
 
    
What is the best practice for applying policy in AD?  Currently we create a GPO for every 
separate “policy” we want to apply (WSUS, DNS search order, LCS and so on…) and 
we place all these policies in a created OU called “GPO’s” and link that to 
different OU’s as needed.  My 
question is are we better off to stay with this method or should we limit the 
number of GPO’s and combine policies into one GPO?  For example should we take the policy 
settings from WSUS, DNS and LCS and put them into one (1) GPO instead of the 
three (3) separate policies that are currently being 
applied?
 
  It seems easier to manage them when they 
are separated by function. I am curious if I am missing something that will 
cause issues down the road as the numbers of policies will most likely increase 
significantly in the future as we try to reign in the desktops and the 
users.  Thank you in advance for all 
responses.
 
Dan
 
 

[ActiveDir] Best practice GPO's

[Cariglia, Daniel]

Hello,

 

    What
is the best practice for applying policy in AD?  Currently we create a GPO for every separate
“policy” we want to apply (WSUS, DNS search order, LCS and so on…)
and we place all these policies in a created OU called “GPO’s”
and link that to different OU’s as needed.  My question is are we better off to stay
with this method or should we limit the number of GPO’s and combine
policies into one GPO?  For example
should we take the policy settings from WSUS, DNS and LCS and put them into one
(1) GPO instead of the three (3) separate policies that are currently being
applied?

 

  It seems easier to manage them when they
are separated by function. I am curious if I am missing something that will
cause issues down the road as the numbers of policies will most likely increase
significantly in the future as we try to reign in the desktops and the users.  Thank you in advance for all responses.

 

Dan