If a group policy will be applied to many different locations, you should create the policy once and assign the permissions, and then link the policy to the other locations rather than creating the policy multiple times. Linking the policies achieves the following objectives:
Configuring the Group Policy Snap-inWhen a site administrator opens the GPMC or the group policy through ADUC, the domain controller that is used to make group policy changes and process the changes is, by default, the only one that holds the FSMO role of PDC Emulator Operations Master. Although this was configured to help eliminate replication problems, this can cause frustration and delays for remote administrators making changes to a group policy under their control by having to wait for the changes to replicate from the remote PDC Emulator DC. To force the GPMC and Group Policy snap-in to use the most available domain controller, enable the following group policy: User Configuration, Administrative Templates, System, Group Policy, Group Policy Domain Controller Selection. Choose Use Any Available Domain Controller or Inherit From Active Directory Snap-ins to use the DC to which the open snap-in is connected. The default that points to the PDC Emulator is the choice to Use the Primary Domain Controller. Figure 21.3 shows the domain controller selection of Inherit From Active Directory Snap-ins. Figure 21.3. Configuring the domain controller selection.
Disabling Configuration SettingsTo speed up login and boot times for users, it is recommended that if the entire User Configuration or Computer Configuration section is not being used in a GPO, the unused section should be disabled for the GPO. This expedites the user login time or the computer boot time, as the disabled sections aren't parsed upon boot or login. To disable configuration settings using Active Directory Users and Computers:
To disable configuration settings using the GPMC:
Viewing Group Policy Using the Show Configured Policies OnlySearching through Administrative Templates for a particular group policy that is configured can be very time consuming. However, ADUC and the GPMC can be configured easily to show only the Administrative Templates objects that are configured. It removes from the view any policies or policy folders that don't have policies configured within them, making it much easier and faster to find a specific configured policy. Figure 21.4 shows what a GPO looks like when viewed using the Show Configured Policies Only. Figure 21.4. Standard Group Policy Object screen.To view only the configured policies while using ADUC or the GMPC:
Deleting Orphaned Group PoliciesWhen a GPO is deleted, you have two choices: Delete the link or delete the entire policy. Each option carries certain consequences. If the Group Policy Object should be removed from being applied at that location but it is or will still be applied elsewhere, choose to remove just the link. This leaves it in the available group policy list for future use. If the GPO will not be used elsewhere or ever again, delete the object permanently. This removes the policy from SYSVOL permanently and removes it from Active Directory. If the policy won't ever be used again and the policy isn't fully deleted, this results in the Group Policy being left unused in the SYSVOL area on each domain controller. This adds unnecessarily to the time it takes to create a new domain controller, and increases replication time and storage space on the domain controller. If you are using ADUC to access Group Policy, Windows 2003 presents you with two choices when trying to delete a group policy: Remove the Link From the List or Remove the Link and Delete the Group Policy Object Permanently. If you are using the GPMC, delete the link by right-clicking on the Group Policy Object under the object to which it is applied. A pop-up box appears that asks, "Do you want to delete this link? This will not delete the GPO itself," thereby leaving the GPO available for linking elsewhere. To delete the link, click OK in the box. To fully delete the GPO, click on the folder in GPMC titled Group Policy Objects. Right-click the GPO and choose Delete. A pop-up box appears asking "Do you want to delete this GPO and all links to it in the domain? This will not delete links in other domains." To complete the deletion, click OK. Note Be sure to check whether the GPO is linked elsewhere in the domain before deleting the object completely. This can be done through the GPMC and ADUC. |