Best Practices for Configuring Group Policy Objects

IDG News Service - Although group policies are an extremely powerful security mechanism, it can be a bit tricky to deploy them in an effective manner. That’s because the effective group policy is made up of multiple and sometimes contradictory group policy elements that are applied to the user object and/or to the computer that the user is working from. It is therefore critically important that you manage your group policy objects in a way that will allow you to keep them well organized so that you can always figure out which policy elements apply in a given situation.

Further complicating things is the fact that group policy objects can be combined with other group policy objects from the local computer or from a number of different locations within the Active Directory. If you want to make things really interesting though, you can even throw in some loopback or non-inheritance settings to make things really confusing.

My point in telling you all of this is to illustrate that without the proper planning, your group policy structure can easily become huge and overly complicated. It is therefore critically important that you manage your group policy objects in a way that will allow you to keep them well organized so that you can always figure out which policy elements apply in a given situation. In this article, I will share with you some best practices that you can use to keep your group policy objects well organized.

Disable unused group policy elements

One of the first things that you should do to de-clutter your group policy is to disable any unused group policy elements. There are a couple of different ways that you can do this. I recommend starting out by looking at group policy objects as a whole to see if they are really necessary. In larger organizations, it is not uncommon to need group policy objects at every level of the Active Directory, but smaller organizations can often get away with having all of their group policy settings take place at a single level within the Active Directory.

The level within the Active Directory where it makes the most sense to enforce your group policy settings depends heavily on the way that the individual organization is set up. The procedure for disabling a group policy object is almost identical regardless of which level you are doing it at. For example, suppose that you wanted to disable a site level group policy object. To do so, you would open the Active Directory Sites and Services console. Next, you would right click on the site that the policy is currently linked to and select the Properties command from the resulting shortcut menu. When you do, you will see the site’s properties sheet. If you then select the properties sheet’s Group Policy tab you will see a list of all of the group policy objects that are bound to that site, as shown in Figure A.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.