GPO best practice-One big one or Lots of little ones?

  • Thread starter Thread starter Bob Williamson
  • Start date Start date
B

Bob Williamson

I saw a webcast form MS that stated it is better to have allot of individual
GPOs as opposed to a single complex one.

I have also heard that adding a bunch of GPOs increases the over head when
logging on and single complex ones while make the logon process faster.

I am leaning towards making a bunch of small ones, with names that are
appropriate for the settings (Like GPOs named "desktop lockdown",
Intellimirror settings" etc.) since I am guessing the overhead is fairly
small....

Please enlighten me as to the "Best Practice".

Thanks,
Bob
 
Hello Bob.

This depends of how your logical structure is build with Domains, sites and
OUs. The best tips I have is to leave the Default Domain Policy al most with
out any settings. You can set things that you are sure you want to implement
to the whole organization as Audit. If you have an Enterprise with more than
one domain or a domain tree, you may want to set this default policies at
site level, I have done so.

Well a policy for each setting is not god, and will slow down network
performing. But like "Desktop Settings" , "Profiles and Folder Redirection
Settings" is good. How ever you can disable the part of the policy you not
need, if you have a policy that you planning to apply to an OU with only
user accounts or only have settings applied under the Users Configuration,
you can disable the part for Computer Configuration and the other way
around, this will result in grater login times.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1
 
I believe smaller policies are better like you are doing. Giving polices
specific names will keep things from getting messy because soon you will not
know what a huge policy is actually doing.
 
This argument is valid, however, with the production of the Group Policy
Management Console, I think that a few bigger policies can be a better
option because you can see exactly what that policy is doing through the
console. It's quite slick...

Jared
 
Back
Top