Designing Group Policy

Designing Group Policy

When designing Group Policy, the design team needs to determine the best way to implement it for management purposes. GPOs must be designed in such a way that enables the current IT organization to easily manage them.

Some type of standard set should be in place so that the creation and organization of GPOs can remain consistent throughout the network. In designing Group Policy, you need to consider how administration is distributed throughout the network (centralized versus decentralized). The design team also needs to determine who will be responsible for administering the GPO and the level of administration she will be assigned.

When organizing GPOs, you have three options: single policy, multiple policy, and a dedicated policy. Keep in mind that the implementation you choose will affect several things, including the maintainability of the GPO, logon times as Group Policy is processed , and the ability to delegate GPO maintenance tasks . The three policy types are as follows :

• Single policy ” In this implementation, a separate policy is created for each of the different policy options. Separate Group Policies could be created for application settings, security settings, and desktop settings. With this type of implementation, different users or groups can be given authority over different areas of Group Policy. If this type of option is implemented in the XYZ Corporation, there could be several GPOs applied to the Users container, each with different settings. This implementation would best meet the needs of a business that distributes the administrative tasks among different users or groups (decentralized).

• Multiple policy ” With this type of implementation, one GPO contains all the settings that need to be applied to a container. Therefore, one GPO would contain all the application, security, Windows, and administrative settings. This option is best suited to a business that implements a centralized administrative model.

• Dedicated policy ” In this structure, settings are divided into two general categories. For example, one GPO would be created to hold the computer settings, and another GPO would contain the user settings.

When designing Group Policy, also take into consideration which users or groups will be assigned delegation of control over the GPOs and the type of permissions they will require. Will the user or group be given the right to create new GPOs, modify existing policies, or link policies between sites and domains? Or will he be given full control? The type of permissions assigned to users is determined by how the business currently distributes administrative tasks.

Chapter 5 discussed delegation of authority for distributing administrative duties among users and groups. When designing Group Policy, also keep in mind delegation of authority. Specific users and groups can be granted administrative responsibility over a GPO. The design team must therefore determine who will be responsible for administering different GPOs and the type of privilege required.

When delegating control over a GPO to a user or group, you have three options to assign: creating, modifying, and linking. Here are some questions to keep in mind:

• Should the user or group have the ability to create new GPOs (specifying his own policy settings) for a container?

• Should the user or group have the ability to modify an existing GPO?

• Should the user or group have the ability to link a container to an existing GPO?

The option you choose obviously determines the scope of administrative control a user or group has over a GPO. Remember to assign only the necessary permissions for a user or group to carry out his job.