One big GPO vs multiple granular ones

Forums › IT Pro and developers › One big GPO vs multiple granular ones

toyonut

1508 posts

Uber Geek

#142550 17-Mar-2014 09:29

It is better to have one big GPO or multiple granular ones?
I would lean to multiple tightly defined ones, but interested to know if that is the best way to go.
For example, I would have a firewall GPO, a WSUS GPO, a certificate GPO etc, rather than rolling it all into one big domain policy.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

Zeon

3916 posts

Uber Geek

Trusted

#1007061 17-Mar-2014 09:41

Yea would highly recommend breaking it up as different workstations/servers need different things generally. I would suggest creating them as standalone entities and then apply to containers as necessary.

Speedtest 2019-10-14

Inphinity

2780 posts

Uber Geek

#1007073 17-Mar-2014 09:53

I would make it logically granular, so that the necessary policies can be applied to the necessary OUs correctly.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1007081 17-Mar-2014 10:03

For anything other than a lab/home environment, you do not want one big policy. The degree of granularity you aim for should depend to a large extent on the size and complexity of the environment. For a smaller environment, it's generally still fine to clump lots of things together, but for larger/complex environments you generally want even better granularity. The hard part in those environments is finding the balance between functionality through granularity and an administrative nightmare of GPO maintenance :-)

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

raytaylor

4014 posts

Uber Geek

Trusted

#1008136 18-Mar-2014 15:04

I mostly use group policy to set limits on who can shutdown a terminal server, or install apps / block the control panel etc.

To do this I just have three use groups
Santa Claus
Mrs Claus
Elves

So Santa has full access to the entire system and is the owner(s) of the company
Mrs Claus works in the payroll office and has full access, and also access to the admin shared drives
Elves are locked down and only have access to the everyday shared drive.

This way when I set up a server, I have a standard setup where at each site there is a owners drive, a standard admin drive and then a staff drive, with associated environment restrictions.

Each user on the system is placed into one of the three groups and the correct group policy object will be applied to them at logon.

On the terminal server, each printer is setup as a local network printer - no mappings to shared printers.
When a user logs on, the kixtart script will look at the group they are in and map the applicable shared drives, as well as look for a file \\tsclient\c\printer-x.txt
If the printer-x.txt file exists then the script knows the user is logging in from a specific machine and will set the nearest printer to that machine as the default.
If there is a txt file called printer-y.txt then it uses a different printer as default for the session.

Sorry if this all doesnt really apply to you - I mostly set up small terminal services environments.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

toyonut

1508 posts

Uber Geek

#1008525 18-Mar-2014 22:37

Nice, thanks very much. We are currently in process of simplifying down a hugely overcomplicated network. I am working on a set of group policies as I have time. Simple and reasonably granular works well for me and means I can have some leeway where I don't have to create OU's with inheritance blocked in order to stop some GP's overstepping their boundaries.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B