For Geeks @nd the not so Geeky

Group Policy Management Structuring and Design

Group Policy Management – Organizational Unit (OU) Design and Group Policy Objects (GPO) Implementation

First thing to keep in mind when it comes to group policy management is that organizational units are not the same as security groups. The key thing to remember is that a security group is used to assign permissions whereas a OU is just a container of objects.

Take care of properly designing your OU structure by considering the geographical or departmental location and needs of your users. group policy management console windows 7

As you will probably know, OUs most likely contain one or more child OUs which by default inherit security stings from the parent OU.

As usual, no matter the size of your company, try to keep it simple. The concept is very similar to AD design where a single domain in a single forest is the easiest to administer.

Windows 7 Group Policy Management

The same goes for OU structure, try to minimize the amount of OUs  in order to avoid too much complexity. Avoid creating additional administrative overhead by creating multiple OUs that are subject  to the same GPO or security settings.

OUs are designed to make administration more easy. Of course, also do not oversimplify your OU structure as this might very easily override GPO settings required for specific users or computers.

Group Policy Management Console

What is Group Policy – Group Policy Management Editor

The first thing to keep in mind is that GPOs are either applied to users or computers.

Starter GPOs

Multiple pre-configured GPO settings (3000 +) are available in Windows server 2008 R2. If you are not sure of the template you want just right click on a folder icon in the group policy management editor and choose Filter Options to enter your search criteria.

Multiple local group policy objects (MLGPO)

Whereas in the past, when you applied a local group policy restriction all users including administrators would be affected by the GPO. MLGPO enables you to enforce different GPOs based on the group the user is a member or any individual user account.

Site GPO

  • GPO must already exist to link it to a site
  • Not very common except to define network settings

Domain Linked GPO

General advice is to leave the default domain policy alone as any changes made to this policy are Doman wide

It is better to create a separate policy and scope and not touch the default domain policy.
Order of Inheritance (Screenshot)

Group Policy Management Scopes

As a rule child Ou settings will take precedence over domain or site settings GPOs There are ways to override this behavior, but they should only be used if all other options are not fit for your strategy.

One way would be to “Block Inheritance” Be very careful with this setting as it will block any other policies from being applied to the OU..
Enoforce GPO Settings will do just the opposite and should also be used sparingly.

Advanced Group Policy Management


Very similar to using NTFS permissions.  Go to the properties tab and check the Deny Group Policy Setting. (screenshor) As always DENY overrides any other settings.

You should design the scope of management or inheritance  of your OUs properly and only resort to enforce or block inheritance as a rare exception.

WMI Filters allow you to filter GPOs based on

  • Hardware
  • Software Deployment

If there is anyone out there using Group Policy to distribute software, read on. Suffice to say that it can be accomplished the MS way.

  • Assigned – Software gets installed regardless of user consent
  • Published – user has the option to install
  • Has to be an msi file

Admx vs adm files

In the old days –Win 2000 and earlier – we used to rely on Adm files, which were language dependent. They got replicated to all the SYSVOL folders in the domain so that every policy that is created also has every adm file connected to it stored in the SYSVOL. There often was an inconsistency between different language versions.

Admx and Adml

Admx files contain universal settings whereas the adml files contain language specific settings. These files can be stored in a central store making them a lot more efficient and less bulky than the adm files which had to be present in every SYSVOL volume in previous versions of Windows Server.

Leave a Response