[gptalk] Re: GPO Implementation Methodology

  • From: <bart.schillebeeks@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 20 Sep 2006 16:03:35 +0200

Hi guy's, 
I use a "No override, No exception" strategy on our entire Park. I have
a split machine/user gpo strategy as well. 
Basically i have an GPO specific for each OU  ( systems --> servers
--type of server,  systems --> workstations ---> desktops, users -->
department --> type)   etc..
The windows system security is placed in Type specific GPO's that are
placed in the lowest OU ( ALways winning application settings) . 

For All other settings (adm templates) the settings is placed in the gpo
respective to the scope or split between the setting. (sounds difficult
i know).
I manage a 3 Tier network ( lab, QA, Production)  with in each forest 7
domains, with about 65.000 workstations and 6000 servers in total. 
I have around 35 GPO's per domain (most of them are identical, but times
7 *3 = 21*35 = 735 GPO's )
Basic trick is to standardize as much as possible and not to create
exceptions. when adapting gpo's i only have to import a lot :-)
This system works very well , and i rarely have errors or
troubleshooting to do. Very important is to manage your OU structure
based on your GPO/AD needs, and not the other way around !!!
Vriendelijke groeten, 
Kind Regards, 

Schillebeeks Bart 
Active Directory Security Consultant 
Small and Departmental Systems - NT Systems Fortis Bank 
AD Internet Consulting BVBA

Any views expressed in this message are those of the individual sender,
except where the  message states otherwise and the sender is authorised
to state them to be the views of any  such entity.This Message is in no
way legally binding and has to be viewed as a personal  opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its  associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price  quoted. Any reference to the terms of executed
transactions should be treated as preliminary  only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Geelsebaan 109c, 3980 Tessenderlo,
ON:0470419019  www.adinternet.com  mailto:Sales@xxxxxxxxxxxxxx

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Kopenski, Jack
Sent: Wednesday, September 20, 2006 2:48 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Implementation Methodology

Thanks Darren and Robert.  I have not been able to find any help in the
many publications on GPO's that really point to one method or the other.
I personally like method B but my boss is leaning towards "A", so I have
widen my search out to the working admins in hopes of hearing your
Having bumped into a problem (security options) with method B so soon
made me worry that there were others that could not be overridden or
reversed easily.  Can any of you share just how many GPO's your
organizations have implemented?  If you use the baseline, or master GPO
method, do they contain 5, 10, 20 different settings?


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Robert Tannehill
Sent: Tuesday, September 19, 2006 11:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Implementation Methodology

I also like Method A.  We have "baseline" GPOs; one for workstations and
one for servers since there are separate security policy requirements
based on corporate security policies.  And in those cases where I had
explicitly disable or enable policies in policies on OUs further down
the tree.  For example, we had an OU for all workstations, then under
that, one for desktops and one for laptops.  The workstation-baseline
policy caught all the corporate security policies; for instance, offline
files are disabled, but on the laptop GPO, they are enabled.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, September 19, 2006 11:37 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Implementation Methodology

I typically like Method A better, but it has its drawbacks. Some policy,
such as you've discovered with security policy, can't be easily undone.
For example, in your interactive logon message example, you can't simply
set it to Not Defined in the higher precedence GPO to have it undo the
message. You would have to set it, but leave it blank, in order to undo
that message. So, maybe the best solution is a mix of approaches, where
you only put settings that universally apply to all computers in a set
of few master GPOs and then apply specific settings at the OU level
linked GPOs, using security filtering if you need to isolate groups of
machines or users for specific settings.


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Kopenski, Jack
Sent: Tuesday, September 19, 2006 7:59 AM
To: GPTalk Forum
Subject: [gptalk] GPO Implementation Methodology

In trying to design a good GPO methodology for a medium size (7,500
employees) world-wide AD forest we are torn between 2 methods.

Method A 

1.  Creating a master computer GPO for all settings common to the
majority of our computers. 
2.  Creating "exception" GP's with a higher precedence to turn off
individual settings set in the master GPO not desired for specific OU's


Method B 

1.  Creating many individual GPO's for the majority of our computer
2.  Simply leaving off an individual GPO if it is not desired for those

Method A would seem to create fewer GPO's, but can we always rely on the
ability to turn off a setting already turned on by the master?

Method B would seem to create more GPO's with a more complex precedence
order, but simplify troubleshooting. 

I have run into a problem with Method A;  after turning on the Security
Options Interactive Logon Message in one GPO, I am unable to turn it off
again in an exception GPO higher in the precedence order. 

Input would be appreciated. 



The contents of this e-mail are intended for the named addressee only.
It contains information that may be confidential. Unless you are the
named addressee or an authorized designee, you may not copy or use it,
or disclose it to anyone else. If you received it in error please notify
us immediately and then destroy it. 
= = = = = = = = = = = = = = = = = = = = = = = = =
Fortis Bank disclaimer :

Fortis Bank privacy policy :
= = = = = = = = = = = = = = = = = = = = = = = = =

Other related posts: