Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

1508 posts

Uber Geek

# 142550 17-Mar-2014 09:29
Send private message

It is better to have one big GPO or multiple granular ones?
I would lean to multiple tightly defined ones, but interested to know if that is the best way to go.
For example, I would have a firewall GPO, a WSUS GPO, a certificate GPO etc, rather than rolling it all into one big domain policy.

Try Vultr using this link and get us both some credit:

Create new topic
3496 posts

Uber Geek


  # 1007061 17-Mar-2014 09:41
One person supports this post
Send private message

Yea would highly recommend breaking it up as different workstations/servers need different things generally. I would suggest creating them as standalone entities and then apply to containers as necessary.

Speedtest 2019-10-14

2541 posts

Uber Geek

  # 1007073 17-Mar-2014 09:53
Send private message

I would make it logically granular, so that the necessary policies can be applied to the necessary OUs correctly.


3872 posts

Uber Geek

Lifetime subscriber

  # 1007081 17-Mar-2014 10:03
Send private message

For anything other than a lab/home environment, you do not want one big policy. The degree of granularity you aim for should depend to a large extent on the size and complexity of the environment. For a smaller environment, it's generally still fine to clump lots of things together, but for larger/complex environments you generally want even better granularity. The hard part in those environments is finding the balance between functionality through granularity and an administrative nightmare of GPO maintenance :-)

Information wants to be free. The Net interprets censorship as damage and routes around it.

3403 posts

Uber Geek


  # 1008136 18-Mar-2014 15:04
Send private message

I mostly use group policy to set limits on who can shutdown a terminal server, or install apps / block the control panel etc.

To do this I just have three use groups
Santa Claus
Mrs Claus

So Santa has full access to the entire system and is the owner(s) of the company
Mrs Claus works in the payroll office and has full access, and also access to the admin shared drives
Elves are locked down and only have access to the everyday shared drive.

This way when I set up a server, I have a standard setup where at each site there is a owners drive, a standard admin drive and then a staff drive, with associated environment restrictions.

Each user on the system is placed into one of the three groups and the correct group policy object will be applied to them at logon.

On the terminal server, each printer is setup as a local network printer - no mappings to shared printers.
When a user logs on, the kixtart script will look at the group they are in and map the applicable shared drives, as well as look for a file \\tsclient\c\printer-x.txt
If the printer-x.txt file exists then the script knows the user is logging in from a specific machine and will set the nearest printer to that machine as the default.
If there is a txt file called printer-y.txt then it uses a different printer as default for the session.

Sorry if this all doesnt really apply to you - I mostly set up small terminal services environments.

Ray Taylor
Taylor Broadband (rural hawkes bay)

There is no place like localhost
For my general guide to extending your wireless network Click Here

1508 posts

Uber Geek

  # 1008525 18-Mar-2014 22:37
Send private message

Nice, thanks very much. We are currently in process of simplifying down a hugely overcomplicated network. I am working on a set of group policies as I have time. Simple and reasonably granular works well for me and means I can have some leeway where I don't have to create OU's with inheritance blocked in order to stop some GP's overstepping their boundaries.

Try Vultr using this link and get us both some credit:

Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36

MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28

Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15

D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36

2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17

Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46

Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.