[gptalk] Re: GPO Implementation Methodology

  • From: "Robert Tannehill" <rtannehill@xxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 19 Sep 2006 22:42:57 -0500

I also like Method A.  We have "baseline" GPOs; one for workstations and one
for servers since there are separate security policy requirements based on
corporate security policies.  And in those cases where I had explicitly
disable or enable policies in policies on OUs further down the tree.  For
example, we had an OU for all workstations, then under that, one for
desktops and one for laptops.  The workstation-baseline policy caught all
the corporate security policies; for instance, offline files are disabled,
but on the laptop GPO, they are enabled.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, September 19, 2006 11:37 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Implementation Methodology

I typically like Method A better, but it has its drawbacks. Some policy,
such as you've discovered with security policy, can't be easily undone. For
example, in your interactive logon message example, you can't simply set it
to Not Defined in the higher precedence GPO to have it undo the message. You
would have to set it, but leave it blank, in order to undo that message. So,
maybe the best solution is a mix of approaches, where you only put settings
that universally apply to all computers in a set of few master GPOs and then
apply specific settings at the OU level linked GPOs, using security
filtering if you need to isolate groups of machines or users for specific


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Kopenski, Jack
Sent: Tuesday, September 19, 2006 7:59 AM
To: GPTalk Forum
Subject: [gptalk] GPO Implementation Methodology

In trying to design a good GPO methodology for a medium size (7,500
employees) world-wide AD forest we are torn between 2 methods.

Method A 

1.  Creating a master computer GPO for all settings common to the majority
of our computers. 
2.  Creating "exception" GP's with a higher precedence to turn off
individual settings set in the master GPO not desired for specific OU's .


Method B 

1.  Creating many individual GPO's for the majority of our computer OU's. 
2.  Simply leaving off an individual GPO if it is not desired for those

Method A would seem to create fewer GPO's, but can we always rely on the
ability to turn off a setting already turned on by the master?

Method B would seem to create more GPO's with a more complex precedence
order, but simplify troubleshooting. 

I have run into a problem with Method A;  after turning on the Security
Options Interactive Logon Message in one GPO, I am unable to turn it off
again in an exception GPO higher in the precedence order. 

Input would be appreciated. 



The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it. 

Other related posts: