exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:  
1 edit |  One big group policy or multiple small group policies
Is it better to have multiple small group policies or one group policy for any given OU?� |
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | I do lots of small ones and name them what function they perform.
--
don't get 2 close 2 my fantasy |
|
lorennerol
Premium
join:2003-10-29
Seattle, WA
| I wish there was a simple way to hide the settings that aren't default. I know RSOP sort of accomplishes this, but having to wade through thousands of settings in GP just to get to the one I'm using is a pain and is the primary reason that I put multiple settings in one GPO. |
|
The WeaseL
Premium
join:2001-12-03
Minnesota | reply to exocet_cm
I normally opt for more smaller ones. |
|
devnullgt
yep..I'm still alive
Premium
join:2000-11-06
King Of Prussia, PA | reply to exocet_cm
1 Default Workstation
1 Default Server
Those two have the very common settings such as allowing RDP, NTP source, WSUS source, password settings, etc
Then smaller ones for specific functions. |
|
exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs: | reply to exocet_cm
Re: One big group policy or multiple small group policies�
Thanks for the replies guys.  � |
|
techjoe
Premium
join:2004-02-20
Schererville, IN
| reply to exocet_cm
Re: One big group policy or multiple small group policies
There's really no perfect answer. It totally depends on your AD design and what you're trying to do.
Things that apply to the organization go at the top and I typically group them together in a few large policies. I have one for the "Defaults" persay that we enforce, then the password policy object, then a few smaller ones.
Quite often I start out with a new setting in a new GPO object. After it's production-ready I apply it to a single OU, then ramp it up. I'd rather keep the break scope to a single container than the whole domain..Keeps the VIPs from being early adoptors and everything too.
Once it's "tried and true" I'll combine it into an existing policy. If it's a temporary policy (say a machine startup script for a project, something like that) it will remain in its own object and be linked that way.
Deciding which policy to tack settings onto, or which to combine/split, has a lot to do with your needed scope. If you intend to exclude OUs, using loopback, only really need it on a single OU, having it separated has obvious advantages. But remember, now when you add a new OU (new facility, new department, whatever) you have to link those small policies by hand. I hate going back and splitting GPO's I combined or lumped settings in initially...But I hate having to verify numerous objects for a single "function" (IE8 defaults, for example). So there's a middle ground that really depends on the administrator and the AD design..
How often you change the policy plays a big role too.
The best thing I can say to the OP and everyone else, is check out »207.46.16.252/en-us/magazine/200···erf.aspx .
Ok good, so it looks simple and straight forward.
Now look at an example of the official MS words on it.. »support.microsoft.com/default.as···&sd=tech
Long story short, if you're designing the policy with how often it has to be applied/changed/etc and all of that it's not an issue, especially on decent hardware/connections. Just keep your sanity in mind.. 
--
Baka wa shinanakya naoranai |
|
NetAdmin
CCNA
join:2008-05-22
| reply to exocet_cm
As someone else has said, it depends on your setup.
I tend to make a default policy for the servers, workstations and users which contain policies that should be uniform across the board for that type of object. Then, as I create OUs, policies are created that are specific for those OUs.
Of course, now that I work for a large corporation, those policies come from corporate security, so I don't even get to touch them. Which is usually a good thing, but sometimes it causes problems.
--
Kilroy was here |
|
adamtech78
join:2006-01-25
Chicago, IL | we are in a way screwed with the default policy. too much stuff is included in it.
so that's my tip.
I would do more smaller ones, but |
|
