Group PolicyNotes

General Notes

Design your domain and OU structure to use as few GPOs as possible. The more GPOs you use, the:

• Slower logons may become

• More network traffic is generated

• Greater the chance of conflict between settings in different GPOs, causing unpredictable results

• More difficult it is to troubleshoot problems associated with GPOs

Keep the number of GPOs that are applied to a given user account small (two or three, usually). It is generally better to merge policy settings from several GPOs into a single GPO whenever possible to speed up the process by which GPOs are applied and refreshed.

Link each GPO you create to only a single site, domain, or OU. GPOs linked to several domains or sites can significantly slow logons, and linked GPOs generally make it difficult to troubleshoot GPO problems when they occur.

Use blocking when you have a special group of users or computers that needs unique Group Policy settings in your site, domain, or OU.

Use forcing sparingly, and then only for containers high up in the Active Directory hierarchy and for GPO settings that are critical throughout the enterprise, such as security settings.

Try not to use GPO filtering since this makes troubleshooting Group Policy problems complex. Create an additional GPO instead of filtering an existing one.

Disable the User or Computer Configuration portion of a GPO if it is not needed. This speeds up processing.

Use the default security templates included in WS2003 as a starting point for configuring security settings in domain GPOs.

Test your Group Policy settings by logging on to workstations using ordinary user accounts and see if the settings work as you expected.

Document your GPOs, where they are linked, and which settings have been configured.

Use the gpresult command-line tool in WS2003 to determine which Group Policy settings have been applied to a specific computer and to the user currently logged on to the computer. This is a useful tool for troubleshooting Group Policy problems on your network.

You can't link a GPO to any of the default containers in Active Directory (i.e., Builtin, Computers, and Users). This is because these containers aren't OUs but special containers that behave differently from OUs. This is a good reason to create your own custom OUs, even in a single-domain environment, so that you can place your users and computers in these custom OUs and apply Group Policy to them.

Only Domain Admins and Enterprise Admins can delegate administrative control over a GPO to another user.

Administrative template settings offer a feature called loopback, which ensures that the User settings of a GPO are always applied to any machines that the Computer settings of the GPO are applied to, regardless of which user logs on to the computer. (Computer settings are always applied after User settings, which means that Computer settings always take precedence when there is a conflict.) You can use this on a computer that is set up to perform a dedicated function for all users who access it. To configure loopback:

Right-click on a container Properties Group Policy Edit Computer Configuration Administrative Templates System Group Policy double-click User Group Policy loopback processing mode Enabled {Merge Replace}

Use Replace to replace the user settings that are typically applied when users log on to the computer; use Merge if you want to combine them (User settings prevail if there is a conflict).

For example, if you create a GPO to manage only User (or only Computer) setting,l you should disable it for Computer (or User) settings. To do this, open the GPO in a Group Policy console and then:

Right-click on the GPO's root node in the console tree Properties General Disable {User Computer} Configuration settings

To do this, you can also open the GPO in a Group Policy console and then:

Right-click on the GPO's root node in the console tree Properties General continue as earlier

The advantage of performing this action is that your GPO is processed more quickly if the unnecessary part of it (User or Computer) is disabled.

Once you create, configure, or delete a GPO, the GPO must be replicated to the domain controllers in your domain before it takes effect for all users and computers in your enterprise. This typically takes five minutes, unless your domain is partitioned into sites connected by slow WAN links with site replication scheduled to occur at intervals you specify.

You can't configure a Scripts setting using secondary logon.

Administrators can delegate control to a trusted user over existing GPOs linked to a container. This step is not necessary, however, if the user has already delegated administrative authority over the container itself, as this automatically gives the user the privilege to create and modify GPOs as desired for the container. See Delegation earlier in this chapter for general information on the subject.

Only Enterprise Admins can create GPOs at the site level.

Notes on the GPMC

By default, the GPMC obtains all GPO and GPO link information from the PDC Emulator in the domain in which the tool is run, but you can also connect to any other available domain controller if required.

You can't restore a backed -up GPO to a different domain.

GPO backups can't be restored once a domain has been renamed .

For more information on the GPMC, see the white papers at http://www.microsoft.com/windowsserver2003/gpmc/ on Microsoft's web site.

See Also

Active Directory , dcgpofix , gpresult , gpupdate