Stick to a naming convention that will help you easily identify the function of your policies as you name the policies you build for your environment. Windows Server 2003 does not prevent you from naming two policies with the same name, but it would be confusing if you did so.
Use Block Policy Inheritance and No Override sparingly. These features are great tools for applying Group Policy in organizations with strict hierarchical frameworks and for organizations with distributed administration. They can also make troubleshooting your policies difficult.
Disable unused parts of Group Policy Objects. If your policy uses only User Configuration, you can disable Computer Configuration. Likewise, if you are modifying only Computer Configuration through policy, you can disable User Configuration. This speeds up the startup and logon process for those network clients receiving the policy.
Avoid cross-domain policy assignments. Again, to expedite the startup and logon process, have your users receive their policy assignments from their own domains. The importance of this tip is particularly pertinent to the management of remote users.
Assign or publish software to high-level Active Directory objects. Because Group Policy settings apply by default to child containers, it is simpler to assign or publish applications by linking a Group Policy Object to a parent organizational unit or domain.
Assign or publish just once per Group Policy Object. Again, for simpler management and troubleshooting, knowing that each installation package is associated with one group policy and likewise each policy is associated with one piece of software will alleviate future confusion. Also, do not assign or publish to both the Computer Configuration and User Configuration of a Group Policy Object.
Repackage existing software. Because software is installed with Microsoft Windows Installer Packages (MSIs) via Group Policy, you may need to repackage software that is compiled with Setup.exe.
Allow the system to create the folders. If you create the folders yourself, they will not have the correct permissions.
Do not redirect My Documents to the home directory. This feature is available but should be used only if you have already deployed home directories in your organization. Redirection to the home directory is available only for backward compatibility.
Enable client-side caching. This is important for users with portable computers.
Synchronize offline files before logging. This feature of folder redirection should always be enabled to ensure that current files are available to users who work offline.
Use fully qualified (UNC) paths, such as \\server\share. Although paths like c:\foldername can be used, the path may not exist on all your target network clients, and redirection would fail.
Use the Offline Files feature of IntelliMirror to simplify management of mobile users. This feature allows the users to work on network files when they are not actually connected to the network.
Set offline files to synchronize when users log on and periodically synchronize in the background. This way, you can ensure that the users' files are always up to date.
Implement a virtual private network (VPN) server solution if you intend to implement additional security to your remote users' connections to the network.
Implement a highly managed configuration that does not require highly managed users to have computer skills for data management, software installs, or system configuration. If the highly managed users all save data to the same server volume, you can then also implement disk quotas on the network shares for them.
Implement a lightly managed desktop policy to manage your software developer network clients. These users should run with Power Users privileges. Being a member of the Power Users group enables this functionality, provided you have not applied a group policy that limits the system directories on the workstation.
Implement IPSec group policies and use Encrypting File System for high-security users.
Have administrators use standard user accounts to do their day-to-day tasks and use administrator accounts only when the task demands it. Enforce screensavers on Administrator workstations.
