[gptalk] GPO Implementation Methodology

  • From: "Kopenski, Jack" <Jack.Kopenski@xxxxxxxxxxxxx>
  • To: "GPTalk Forum" <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 19 Sep 2006 10:58:51 -0400

In trying to design a good GPO methodology for a medium size (7,500
employees) world-wide AD forest we are torn between 2 methods.

Method A

1.  Creating a master computer GPO for all settings common to the
majority of our computers.
2.  Creating "exception" GP's with a higher precedence to turn off
individual settings set in the master GPO not desired for specific OU's


Method B

1.  Creating many individual GPO's for the majority of our computer
2.  Simply leaving off an individual GPO if it is not desired for those

Method A would seem to create fewer GPO's, but can we always rely on the
ability to turn off a setting already turned on by the master?

Method B would seem to create more GPO's with a more complex precedence
order, but simplify troubleshooting.

I have run into a problem with Method A;  after turning on the Security
Options Interactive Logon Message in one GPO, I am unable to turn it off
again in an exception GPO higher in the precedence order. 

Input would be appreciated.


The contents of this e-mail are intended for the named addressee only. It 
contains information that may be confidential. Unless you are the named 
addressee or an authorized designee, you may not copy or use it, or disclose it 
to anyone else. If you received it in error please notify us immediately and 
then destroy it. 

Other related posts: