Using Tools to Make Things go Faster

You can take specific steps to make Group Policy application faster for users as well as make it easier on system administrators to administer the Group Policies. This section covers some ways to make using Group Policies easier and faster.

Linking Group Policies

If a Group Policy will be applied to many different locations, you should create the policy once and assign the permissions, and then link the policy to the other locations rather than creating the policy multiple times. Linking the policies achieves the following objectives:

• Creates fewer group policies in SYSVOL. This allows for quicker domain controller promotion and less replication traffic.

• A single point of change for the GPO. If the GPO is changed, the change is applied to all the locations where the GPO is linked.

• A single point of change for permissions. When permissions are configured or changed in one location on a linked GPO, the permissions are applied universally to each place where the GPO is linked.

Configuring the Group Policy Snap-in

When a site administrator opens the GPMC or the Group Policy through ADUC the domain controller that is used to make Group Policy changes and will process the changes is, by default, only the one that holds the FSMO role of PDC Emulator Operations Master. Although this was configured to help eliminate replication problems, this can cause frustration and delays for remote administrators making changes to Group Policy under their control by having to wait for the changes to replicate from the remote PDC Emulator DC. To force the GPMC and Group Policy snap-in to use the most available domain controller, enable the following Group Policy:

User Configuration, Administrative Templates, System, Group Policy, Group Policy Domain Controller Selection.

Choose Use Any Available Domain Controller or Inherit From Active Directory Snap-ins to use the DC to which the open snap-in is connected. The default that points to the PDC Emulator is the choice to Use the Primary Domain Controller. Figure 6.3 shows the domain controller selection of Inherit from Active Directory Snap-ins.

Disabling Configuration Settings

To speed up login and boot times for users, it is recommended that if the entire User Configuration or Computer Configuration section is not being used in a GPO, the unused section should be disabled for the GPO. This expedites the user logon time or the computer boot time, as the disabled sections aren't parsed upon boot or login.

To disable configuration settings using Active Directory Users and Computers:

1. Click on a Group Policy.

2. Click Properties.

3. Go to the General Tab.

4. Click on one of the boxes, either Disable Computer Configuration Settings or Disable User Configuration Settings, whichever section is not being utilized.

To disable configuration settings using the GPMC:

1. Click on the Group Policy in GPMC.

2. Click on the Details tab.

3. Click on the drop-down box at the bottom of the Details tab.

4. Choose Computer Configuration Settings Disabled or User Configuration Settings Disabled, depending on which portion needs to be disabled.

Viewing Group Policy Using the Show Configured Policies Only Setting

Searching through Administrative Templates for a particular Group Policy that is configured can be very time consuming. However, ADUC and the GPMC can be configured easily to show only the Administrative Templates objects that are configured. It removes from the view any policies or policy folders that don't have policies configured within them, making it much easier and faster to find a specific configured policy. Figure 6.4 shows what a GPO looks like when viewed using the Show Configured Policies Only.

To view only the configured policies while using ADUC or the GMPC:

1. Open ADUC or GPMC.

2. Edit a Group Policy to view.

3. Click on the Computer Configuration/Administrative Template or User Configuration/Administrative Template.

4. Right-click on the Administrative Templates section and choose View, Filtering.

5. Select the Only Show Configured Policy Settings option as shown in Figure 6.5.

   Figure 6.5. Selecting the configured policy settings option in GPMC.

   

Deleting Orphaned Group Policies

When a Group Policy object is deleted, you have two choices: whether to just delete the link or delete the entire policy. Each option carries certain consequences.

If the Group Policy object should be removed from being applied at that location but it is or will still be applied elsewhere, choose to remove just the link. This leaves it in the available Group Policy list for future use. If the GPO will not be used elsewhere or ever again, delete the object permanently. This removes the policy from SYSVOL permanently and removes it from Active Directory.

If the policy won't ever be used again and the policy isn't fully deleted, this results in the Group Policy being left unused in the SYSVOL area on each domain controller. This adds unnecessarily to the time it takes to create a new domain controller, and increases replication time and storage space on the domain controller.

If you are using ADUC to access Group Policy, Windows 2003 presents you with two choices when trying to delete a Group Policy: Remove the Link From the List or Remove the Link and Delete the Group Policy Object Permanently.

If you are using the GPMC, delete the link by right-clicking on the Group Policy object under the object to which it is applied. A pop-up box appears that asks, "Do you want to delete this link? This will not delete the GPO itself," thereby leaving the GPO available for linking elsewhere. To delete the link, click OK in the box.

To fully delete the GPO, click on the folder in GPMC entitled Group Policy Objects. Right-click the GPO and choose Delete. A pop-up box appears asking "Do you want to delete this GPO and all links to it in the domain? This will not delete links in other domains." To complete the deletion, click OK.