12 Tactics for your battle with Microsoft’s Group Policies
Here are a dozen tactics to help you configure, create and plan your Group Policies. What never ceases to amaze me is how long it takes to finalize your Group Policy settings. Therefore, even if only 2 or 3 ideas are suitable for your particular Active Directory implementation then, still feel it is worth your time in checking my tips list.
- Create Group Policies before you deploy any clients
- Create a test OU
- Favour one policy with lots of settings
- Be on the lookout for positive Group Policies
- Find the Group Policy Backup Menu
- Use the ‘Enforce’ and ‘Block Inheritance’ sparingly
- Deny Group Policies to Administrators
- Surround yourself with the best tools
- Document your Group Policy settings
- Favour the user settings rather than the computer policy settings
- Assign Software rather than Publish
- Assemble your team
0) Get the GPMC (Group Policy Management Console)
This GPO tip is so simple that I almost forgot, make sure that you get the GPMC from Microsoft’s site. This interface transforms configuring and troubleshooting Group Policy settings in Windows Server 2003.
The most important tactic is stunningly simple. Create your policies before you roll out your (XP) clients. So many companies introduce wonderful group polices months after the new desktop roll-out. Instead of amazing their users with the excellence of their policies, all they get is is resentment because people are suddenly denied features they like and have become accustomed to.
‘Barking’ Eddie convinced one group of users that their company that had bought a special edition of XP, and that’s why there were so few settings. You and I know that it was just Group Policies applied cunningly to a regular edition of XP.
2) Create a test OU.
Create a trial Organizational Unit for your Group Policy experiments. Naturally, create test users and a test computer and make sure they are in the OU you where you trial your policies. The number one trap with Group Policies is creating the GPO in one OU and expecting the settings to be effective for users in a different OU. Just when you finish laughing about that absurdity, you fall into the same trap, but this time with computer policies.
The other day I had a new twist, a network manager who was applying Group Policies to a group that were based in a different OU from their users.
3) Favour one policy with lots of settings.
Avoid zillions of policies each with one setting. In my opinion a user should be the subject of no more than a dozen group policies, otherwise troubleshooting becomes complex. Other disagree, and say that Group Policies work fine although their users are in about 50 Group Policies. Technically, it does not make any difference to logon time. What slows down logon is the number of individual settings, not the number of policies. I say again, it’s tracing unexpected effects that becomes a nightmare, GPMC is great, but if you have to wade through 50 combinations it is difficult to keep them all on screen.
4) Be on the lookout for positive Group Policies.
For example a simple ‘Enable Logoff’ to tidy up the computer. The pre-configured proxy settings will save you a great deal of configuration work. For a touch of class, experiment with ‘Pre-Populate printer locations’. My tip is keep your eye out for policies which will improve your user’s experience and save them time.
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
5) Find the Group Policy Backup Menu
From time-to-time backup your Group Policies. Not only will backup protect your precious policies, but also it will enable you to import and export to and from your test domain. When you backup, remember to start at the Group Policy Object container, which is right at the bottom of the GPMC.
Trap: What you see at the top and in the OUs is Group Policy short cuts; unlike the real policies in the Group Policy Object containers, these do not have have Backup available on the properties menu.
6) Use the ‘Enforce’ and ‘Block Inheritance’ sparingly. Both ‘Enforce’ and ‘Block Inheritance’ are excellent tools for troubleshooting, but if you over-use them in a production domain the cause more problems than they solve. Enforce was called ‘No Override’ in previous versions of Windows.
7) Deny Group Policies to Administrators.
You will probably ignore this GPO tip – until you lockout your Administrator account. Make it your reflex to amend the Security tab so that Administrators are set to: Deny – Apply Policy. The risk is that you will ‘shoot yourself in the foot’ with a really vicious policy, for example, deny the right to logon locally. Just in case of a problem, create a full administrator in special OU where you block inheritance and never apply any policies at that location.
For the cautious, or truly paranoid, always keep a second domain controller running with the administrator logged on. The benefit is that if you do lock yourself out on the first DC you can reverse the policy on the second domain controller. If all else fails, research your ‘get out of jail card’ – DCGPOFIX.
‘ VBScript to run Gpupdate
‘ Author Guy Thomas
‘ Version 1.3
Dim objShell, intShortSleep, intLongSleep
Set objShell = CreateObject("WScript.Shell")
‘ Adjust sleep / wait (milli seconds)
strService = " gpupdate /force"
intShortSleep = 1500
intLongSleep = 10000
‘ Cmd prompt opened
‘ gpupdate executed
‘ Cmd prompt exited
Wscript.Echo strService & " running "
‘ End of Script
8) Surround yourself with the best tools.
Start as you mean to go on. Familiarise your self with GPMC, the Report Wizard and Modeling Wizard.
Make a batch file or script to run Gpupdate, I guarantee you will be clicking it a great deal in testing. Incidentally, Gpupdate replaces secedit in Windows 2000. Probably the most useful switch is the Gpupdate /force. See opposite for a Gpupdate VBscript which you can copy, paste into notepad and save onto the desktop with .vbs extension.
9) Document your Group Policy settings.
If you are serious about Group Policies then document the settings. An Excel spreadsheet would be an ideal vehicle to hold all the information. In fact, a spreadsheet containing all the builtin Group Policies is the killer feature of my ebook.
10) Favour the user settings rather than the computer policy settings.
Where there is a 50:50 decision to apply a policy setting to a computer or a user, then favour the user configuration. The other benefit is that you tend to keep all the policies in one area and so make troubleshooting easier. See Windows 8 Group Policy Settings
11) Assign Software rather than Publish.
No-one is going to find your lovely programs by going to the Add or Remove Programs. The other benefit is that assigning software uses elevated rights for the installation.
12) Assemble your team.
Of all the computer configuration tasks, Group Policies provide the most fun. To have the most fun, and to get the most out of group policies, assemble an official or even unofficial team. ‘Playing’ with Group Policies works best when you have different personalities, ‘Mr Nasty’ locking down the desktop, ‘Mr Nice’ assigning software. The character who is most difficult to find is ‘Mr Vision’, someone who can picture what the final desktop should be like.
Kiwi CatTools is a free program for backing up configuration settings on hardware devices. Here is Guy’s challenge. If you download CatTools, then it will not only take care of backups, but also it will show you something new about the hardware on you network. I could give you a money back guarantee – but CatTools is already free! Thus, I just make a techie to techie challenge, you will learn more about your network if you:
Summary of GPO Tips
It never ceases to amaze me is how long it takes to lock down the various aspect of a computer. I hope that you find a tactic to help you configure, or troubleshoot your Group Policies.
See more user Group Policies for Windows
If you like this page then please share it with your friends