One of the most powerful centralized administration tasks for Windows Servers and PCs is deploying Group Policy Objects (GPOs). So much so, in fact, that I could argue Group Policy is one of the best solutions Microsoft has ever provided.
While I’m very fond of GPOs and their flexibility to configure user and computer settings centrally, we can easily get out of control with conflicting rules and overly complicated implementations. I’m sure we’ve all seen a domain that has a very ugly configuration of GPOs, and let’s not even get started on the security groups.
In my Active Directory practice, I go back and forth in determining how deep the GPOs and Organizational Units (OUs) should go. I frequently don’t do more than three GPOs flowing in series with the OUs. By series I mean one GPO in a parent OU and another GPO in a child OU, like Figure A where the green GPO applies to the parent OU and the red GPO applies to the child OU (as well as the green GPO).
Click the image to enlarge.
OUs are great for granular classification of various Active Directory objects, though I don’t really have an incredible issue going very deep (within reason) in terms of levels for this configuration. GPOs, on the other hand, are not good candidates for multiple applications for each OU as the tree goes deeper.
It is too complicated to keep the configuration rules in mind for planning and quick thinking. To help simplify how GPOs are organized, here are some tips:
- Leverage GPO filtering by security group to make more GPOs at a higher OU instead of more GPOs in deeper OUs
- Never add individual users or computer accounts (always use the group trick above)
- Combine user and computer settings by role, rather than separate GPOs
- Self-document the names of the GPOs to be intuitive to the role and location
- Use a consistent GPO nomenclature, including renaming GPOs to get there
- Scour around for GPOs that have one setting and consolidate it with other GPOs
GPOs are great, but the tools require organization and thought. These tips are general guidelines, and any of you keeping score will note that my screenshot from my personal lab is not exactly following all of these recommendations. It’s fine for a lab, but in production, that’s a different story.
What tricks and tips do you apply with GPOs and OUs? How deep in the OU structure do you let them go? Share your strategies.