Designing Group PolicyWhen designing Group Policy, the design team needs to determine the best way to implement it for management purposes. GPOs must be designed in such a way that enables the current IT organization to easily manage them. Some type of standard set should be in place so that the creation and organization of GPOs can remain consistent throughout the network. In designing Group Policy, you need to consider how administration is distributed throughout the network (centralized versus decentralized). The design team also needs to determine who will be responsible for administering the GPO and the level of administration she will be assigned. When organizing GPOs, you have three options: single policy, multiple policy, and a dedicated policy. Keep in mind that the implementation you choose will affect several things, including the maintainability of the GPO, logon times as Group Policy is processed , and the ability to delegate GPO maintenance tasks . The three policy types are as follows :
When designing Group Policy, also take into consideration which users or groups will be assigned delegation of control over the GPOs and the type of permissions they will require. Will the user or group be given the right to create new GPOs, modify existing policies, or link policies between sites and domains? Or will he be given full control? The type of permissions assigned to users is determined by how the business currently distributes administrative tasks. Chapter 5 discussed delegation of authority for distributing administrative duties among users and groups. When designing Group Policy, also keep in mind delegation of authority. Specific users and groups can be granted administrative responsibility over a GPO. The design team must therefore determine who will be responsible for administering different GPOs and the type of privilege required. When delegating control over a GPO to a user or group, you have three options to assign: creating, modifying, and linking. Here are some questions to keep in mind:
The option you choose obviously determines the scope of administrative control a user or group has over a GPO. Remember to assign only the necessary permissions for a user or group to carry out his job. |