Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersOne big GPO vs multiple granular ones
toyonut

1508 posts

Uber Geek
+1 received by user: 211


#142550 17-Mar-2014 09:29
Send private message

It is better to have one big GPO or multiple granular ones?
I would lean to multiple tightly defined ones, but interested to know if that is the best way to go.
For example, I would have a firewall GPO, a WSUS GPO, a certificate GPO etc, rather than rolling it all into one big domain policy.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B

Create new topic
Zeon
3927 posts

Uber Geek
+1 received by user: 759

Trusted

  #1007061 17-Mar-2014 09:41
Send private message

Yea would highly recommend breaking it up as different workstations/servers need different things generally. I would suggest creating them as standalone entities and then apply to containers as necessary.




Speedtest 2019-10-14



Inphinity
2780 posts

Uber Geek
+1 received by user: 1184


  #1007073 17-Mar-2014 09:53
Send private message

I would make it logically granular, so that the necessary policies can be applied to the necessary OUs correctly.

Lias
5673 posts

Uber Geek
+1 received by user: 3990

ID Verified
Trusted
Lifetime subscriber

  #1007081 17-Mar-2014 10:03
Send private message

For anything other than a lab/home environment, you do not want one big policy. The degree of granularity you aim for should depend to a large extent on the size and complexity of the environment. For a smaller environment, it's generally still fine to clump lots of things together, but for larger/complex environments you generally want even better granularity. The hard part in those environments is finding the balance between functionality through granularity and an administrative nightmare of GPO maintenance :-)




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.



raytaylor
4088 posts

Uber Geek
+1 received by user: 1312

Trusted

  #1008136 18-Mar-2014 15:04
Send private message

I mostly use group policy to set limits on who can shutdown a terminal server, or install apps / block the control panel etc.

To do this I just have three use groups
Santa Claus
Mrs Claus
Elves

So Santa has full access to the entire system and is the owner(s) of the company
Mrs Claus works in the payroll office and has full access, and also access to the admin shared drives
Elves are locked down and only have access to the everyday shared drive.

This way when I set up a server, I have a standard setup where at each site there is a owners drive, a standard admin drive and then a staff drive, with associated environment restrictions.

Each user on the system is placed into one of the three groups and the correct group policy object will be applied to them at logon.

On the terminal server, each printer is setup as a local network printer - no mappings to shared printers.
When a user logs on, the kixtart script will look at the group they are in and map the applicable shared drives, as well as look for a file \\tsclient\c\printer-x.txt
If the printer-x.txt file exists then the script knows the user is logging in from a specific machine and will set the nearest printer to that machine as the default.
If there is a txt file called printer-y.txt then it uses a different printer as default for the session.

Sorry if this all doesnt really apply to you - I mostly set up small terminal services environments.




Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

toyonut

1508 posts

Uber Geek
+1 received by user: 211


  #1008525 18-Mar-2014 22:37
Send private message

Nice, thanks very much. We are currently in process of simplifying down a hugely overcomplicated network. I am working on a set of group policies as I have time. Simple and reasonably granular works well for me and means I can have some leeway where I don't have to create OU's with inheritance blocked in order to stop some GP's overstepping their boundaries.




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright