By Ruby Nahal, Senior Engineer
Active Directory Group Policies are an extremely powerful component of Active Directory. They are the magic wand that will help you control the functioning and behavior of entities in your Active Directory domain. And because they are so powerful, it can also be dangerous if they are misconfigured. Ever heard the saying, “With great power comes great responsibility”? Depending on how your Group Policies are configured, it can also make the troubleshooting process harder. Following are six nuggets of wisdom on how to make your group policy infrastructure better.
1. Linking or filtering?
My guiding principle is that you should always seek to link a GPO as close to the intended targets as possible and rely on filtering on an exception basis only. Stick to the 80-20 rule. This can be harder when you have a flat AD hierarchy (i.e., all users in one OU). And if you throw in the use of Group Policy preferences item-level targeting, which lets you create filters on individual settings, things can get out of hand. Hence Group Policy infrastructure will greatly depend on your AD hierarchy. It is best to organize your AD to have users/computers in different departments/functions be in different OUs so the group policy infrastructure is as smooth as possible.
2. New GPO’s only when scope is different
This kind of ties into the first point. My rule of thumb is not to create a new GPO unless it is absolutely needed. I have often seen new GPOs created for one setting. For testing this is great but for production, the more GPOs there are, the more complex the infrastructure is and thus harder it is to troubleshoot. And also more GPOs there are, more overhead there is to process such long list of group policies.
3. Disable user/computer settings if not in use
Not only does this keep your AD environment clean, it also helps to avoid processing of unnecessary policies and thus increase overhead in your domain.
4. Avoid using enforced
Use the Enforced and Block Policy Inheritance features cautiously. Routine use of these features can make it difficult to troubleshoot policy because it is not immediately clear why certain settings do or do not apply.
5. Do not edit Default Domain Policies
Unless you are changing the default domain password policy then it is strongly recommended that you do not modify the Default Domain or Default Domain Controller Group Policy objects as making a mistake in these two policies can really mess up your Active Directory. I recently dealt with an issue that introduced a several weeks-long struggle to track down the cause of an issue which could not be immediately traced back to changes to Domain Controller Policies.
6. Reuse GPO’s whenever possible
If same settings need to be applied to all the users or computers in specific OU’s in the organization then consider linking the same GPO to these OU’s. This keeps things simple and easier to troubleshoot.
Again if we keep it simple and avoid introducing unnecessary complexity, it will help everyone in the long run.