Use Descriptive GPO Namesīeing able to quickly identify what a GPO does based off the name will make group policy administration much easier. Disabling the GPO will stop it from being processed entirely on the domain, this could cause problems. Deleting the link from an OU will not delete the GPO, it just removes the link from the OU. If a GPO is linked to an OU and you don’t want it to be, delete it instead of disabling it. I find it much easier to manage and troubleshoot group policies knowing neither of these are set in the domain. If you have a good OU structure then you can most likely avoid the use of blocking policy inheritance and using policy enforcement. Avoid Using Blocking Policy Inheritance and Policy Enforcement This directly linked GPO will take precedence and get applied over the inherited policies. I have a training lab that I don’t want this policy applied to so, I created and linked a GPO directory to the Training Lab OU that disables the screen saver. This policy is applied at the Winadpro computers OU, so sub OUs will inherit this policy.
The Windows 10 Settings contains a policy that turns on the screen saver after 30 minutes. If you have users or computers that you don’t want to inherit a setting, then you can put them in their own OU and apply a policy directly to that OU. This way you don’t need to link a policy to each individual OU. Apply GPOs at an OU root level.Īpplying GPOs at an OU level will allow sub OUs to inherit these policies. It’s better to apply the policies at a more granular level. This could lead to all kinds of settings getting applied to objects that you don’t want. Anything set at the domain level will get applied to all user and computer objects. The only GPO that should be set at the domain level is the Default Domain Policy. Related: 21 Effective Active Directory Management Tips 4. Putting users and computers in separate OUs makes it easier to apply computer policies to all the computer and user policies to only the users. I prefer to separate the users and computers into their own OU, then create sub OUs for each department or business function. Good OU structure makes it easier to apply and troubleshoot group policy. Good OU Structure Will Make Your Job 10x Easier Any other settings to the Domain Controllers should be set in a separate GPO. This GPO should only contain the User Rights Assignment Policy and Audit Policy. Do Not Modify the Default Domain Controller Policy The Default Domain Policy is set at the domain level so all users and computers get this policy. Any other settings should be put into a separate GPO.
This GPO should only be used for account policies settings, password policy, account lockout policy, and Kerberos policy.
I do recommend reading them all as some may not make sense without further reading. One small change could lead to major issues and impact critical business services. It is best to plan and test any changes to group policy. These best practices have worked well for environments I have managed, but may not work for yours. Every Active Directory environment is different and there is no cookie cutter solution for group policy. Warning: Group Policy is not a one size fits all. These are proven tips and techniques that many IT professionals use. In this guide, you’ll learn everything you need to know about group policy design and implementation best practices. Implementing group policy is actually very simple. Group policy can get complicated, it can be complex and it can be difficult to troubleshoot when you have multiple GPOs applied across the entire domain. This is the most thorough guide to group policy best practices on the web.