Cloud

Practical tips on simplifying GPOs and OU organization

Deep paths within Active Directory can complicate OU and GPO organization. IT pro Rick Vanover shares his approach to managing the complexity of GPOs.

One of the most powerful centralized administration tasks for Windows Servers and PCs is deploying Group Policy Objects (GPOs). So much so, in fact, that I could argue Group Policy is one of the best solutions Microsoft has ever provided.

While I'm very fond of GPOs and their flexibility to configure user and computer settings centrally, we can easily get out of control with conflicting rules and overly complicated implementations. I'm sure we've all seen a domain that has a very ugly configuration of GPOs, and let's not even get started on the security groups.

In my Active Directory practice, I go back and forth in determining how deep the GPOs and Organizational Units (OUs) should go. I frequently don't do more than three GPOs flowing in series with the OUs. By series I mean one GPO in a parent OU and another GPO in a child OU, like Figure A where the green GPO applies to the parent OU and the red GPO applies to the child OU (as well as the green GPO). Figure A

Click the image to enlarge.

OUs are great for granular classification of various Active Directory objects, though I don't really have an incredible issue going very deep (within reason) in terms of levels for this configuration. GPOs, on the other hand, are not good candidates for multiple applications for each OU as the tree goes deeper.

It is too complicated to keep the configuration rules in mind for planning and quick thinking. To help simplify how GPOs are organized, here are some tips:

  • Leverage GPO filtering by security group to make more GPOs at a higher OU instead of more GPOs in deeper OUs
  • Never add individual users or computer accounts (always use the group trick above)
  • Combine user and computer settings by role, rather than separate GPOs
  • Self-document the names of the GPOs to be intuitive to the role and location
  • Use a consistent GPO nomenclature, including renaming GPOs to get there
  • Scour around for GPOs that have one setting and consolidate it with other GPOs

GPOs are great, but the tools require organization and thought. These tips are general guidelines, and any of you keeping score will note that my screenshot from my personal lab is not exactly following all of these recommendations. It's fine for a lab, but in production, that's a different story.

What tricks and tips do you apply with GPOs and OUs? How deep in the OU structure do you let them go? Share your strategies.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

4 comments
Jonas Christoffersen
Jonas Christoffersen

Nice article. When ever posible I tend to apply a complete Role based AD Structure with a flat OU structure or as flat as posible and using Securety groups to filter out GPO's. This creates a lot of GPO's (as I normally only add one feature or setting to each) and a lot of Securety Groups, but I have found that in most cases this creates a set of self documentation and with a little help from a few HTA's it is very manageble to always have single point of management. I know there are exceptions but my main goal is always the single point of management.

marcelorf
marcelorf

Great article. One thing that I take a different approach is linking policies up the tree with security filtering. It makes it far less intuitive to determine if a policy is being applied to objects in a given OU. When I open GPMC (there are always cases that merit an exception of course) I like to be able to quickly glance at the AD structure and determine which policies an object gets. Security group filtering takes that from me. I either have to run a model or go into each policy, find the groups that get it and then which objects are a part of it and to me that can be counterproductive if used as a general rule.

huskermiked
huskermiked

Do you know that your twitter stream is putting out incorrect short url's. The twitter links for the last few articles have went to the wrong article.

MaryWeilage
MaryWeilage

Huskermiked, No, I don't believe we were aware of this issue. Thanks for bringing it to our attention. I'll file a bug now. UPDATE: The bug has been fixed. Our Twitter links are working again.

Editor's Picks