GPO - Best Practices
Posted by allenflame@reddit | sysadmin | View on Reddit | 15 comments
Is there any best practices for Group Policy Objects, when it refers to the number of policies? Is it better to create lots of policies that only do say 1-5 changes per policy, or have just a few policies that make 50+ changes? Does it matter if you have one per location for changes like Drive Mappings, or have one at the top level and filter them out with Item-level targeting? We've got probably 70 objects, and most have been in place since Windows 7. Every location has for example their own drive mapping object, their own WSUS object. I've made several over the years for Chrome Settings, Power Settings, and then I have some that I've just thrown settings in for a quick fix. I'm recreating a bunch (made backups first) and wanted to make sure I wasn't over thinking it.
Outside-After@reddit
There used to be some evidence online that demonstrated monolithic GPOs, that is, single objects containing many policies, process faster. However, it is very easy to bury things…
ConstantSpeech6038@reddit
Yes, I remember researching this few years back. I think the takeaway was the difference is unnoticeable on gigabit LANs, but could bring some benefit for slower networks spanning cities, countries or even continents.
Unexpected_Cranberry@reddit
This is based of off my experience, your mileage may vary.
In our environment each individual policy adds about 100ms to processing time. This is the part where it checks security filtering if the GPO should be applied or not and the precedence of the linked GPOs to determine which value should be applied if the same setting is configured in more than one GPO. This does not include evaluating any conditions set in Group Policy Preferences using Item Level Targeting.
Then the application of the policies depends on what was configured. The most expensive settings typically being drive maps, printer maps and login scripts.
Now, I haven't used Item level targeting in about twenty years, so things may have changed under the hood, but at least in the past it was super inefficient. Every condition involving a group membership results in a lookup in active directory, significantly adding to evaluation time. As an example, I had 20 printer mappings defined in a single GPO with Item level targeting. It took 20 seconds to process even if none of the printers were to be mapped. Splitting it up into 20 different GPOs using security filtering instead cut that down to less than two seconds.
With that in mind, you need to find an approach that lets you balance sign in performance and manageability.
Ideally this is a consideration taken into account when designing your OU structure. My general approach has been to create larger GPOs and linking them further up containing the general baselines for the environment. I typically divide them up into Windows Security Baselines, Windows Settings, Edge Settings, Office Settings or the like. I typically try to configure a setting as high as possible in order to avoid having GPOs that are linked to multiple OUs. This helps making it easier to manage as it's very easy to look at a link, change a setting and forget that that GPO is also linked to a different OU where that change is undesired. If possible, I prefer to link a GPO further up and then use security filtering rather than linking a GPO in multiple places.
So, for example
- Computers OU
Windows 11 Security Baseline
Windows 11 Settings
Edge Computer Settings
Office Computer Settings
- Europe OU
Europe Computer Settings -> If you have just a few settings for each of the categories above it might make sense to have just one GPO where you add all those settings. Or you split it up into similar categories as above.
Europe App1 Settings -> Settings for an application only used in Europe.
- France OU
- Paris OU
thegreatdandini@reddit
Turn off the user or computer part of the policy if it’s empty. No point in reading it every time.
Turn off the setting ‘always wait for the network at startup’ as typically you have computers that won’t always be on the network these days.
Most other things are negligible in terms of performance hitting unless you do lots of horrible item level targeting or have WMI filters that are costly.
demonseed-elite@reddit
I need some advice on this as well. We have a very large organization. We have a lot of printers. I'm talking potentially 30 per site, a dozen sites... that's a lot. All these printers have a GPO to attach it to a user or computer object... so... 350+ GPOs just in printers.
Then there's the 40-50 GPOs to map network drives.
It's a bit maddening and I've always wondered if there was a better way to do it.
giovannimyles@reddit
It depends. If you are pushing to bare metal desktops you can isolate each GPO and be fine. You can item level target and be fine. In a VDI environment item level targeting is the devil, lol. Those queries to AD to enumerate and apply things are very slow for login times. Same for a lot of policies, it slows the login times. There isn’t a one size fits all for every item. I liked doing site level GPOs for printing so as you got an IP at a location you got those printers. Primary was domain GPOs though. I personally prefer to group computer policies together and user policies together. I will do security and firewall by itself. Every other computer setting I cram into one. The problem I have with a lot of GPOs is overlapping settings by different admins. Then you realize the same setting with different values across multiple policies conflicting. So I prefer to consolidate to remove user error.
Cormacolinde@reddit
It can get complex.
There are basically 4 ways to assign GPOs: - OU linking (basic stuff) - Site Linking (rarely used, not entirely reliable) - Security Filtering (fairly basic but can get complicated when combined with Loopback procesing) - WMI filter (can slow down things horribly, to be use sparingly)
In addition, you can filter GPP items individually, in a very granular way.
You also need to know that GPO processing is done using Client-Side Extensions, CSEs. There’s one for security settings, ADMX, registry, files, folders, etc. You can look up the list and IDs.
When a GPO is modified, the whole thing needs to be refreshed, and every CSE involved in the GPO must be refreshed. For this reason, it is paramount not to mix up different CSEs within the same GPO. Especially if it changes often. So having large GPOs is more efficient, if they don’t change, but can be much worse when they do.
Also, large GPOs that encompass a lot of settings can be harder and more complicated to apply granularly. Be mindful of settings that often have exceptions (like say, screen saver timers) and keep them together. Same with GPOs that target specific software settings.
For drive maps and printers I like using GPP with item target, as it’s quite powerful. Depending on the number of maps/printers you might not want to make a single one, if only for easier management.
Ishkabo@reddit
It’s to taste. Whatever you do though should be documented and consistent.
thekdubmc@reddit
Try to avoid bloated GPOs. It's alright to have a few larger ones for baselines, but beyond that aim for reasonably targeted GPOs with concise naming. Don't get so specific that you're creating a new GPO for every single setting though as that will become its own management headache, and kill login performance.
If you find you can't accurately describe the GPO in only a few words for the title, you're probably adding too much to it.
Also be sure to disable the user or computer portion of the GPO if it's not being used. Use security filtering and item-level filtering where appropriate, and keep an eye on your GPO inheritance. Making sure you have OUs structured decently will be very important for making sure policies are applied appropriately without making a mess of things.
GeneMoody-Action1@reddit
Though it is a PIA to look at, it is easy to manage to make them individual. Has been my experience. Albeit I use them sparingly the last 15 or so years.
BuffaloRedshark@reddit
Not saying it's best, but we have a mix. Some GPOs are very specific and only have a couple of settings, others are more broad (like security baseline for all computers/servers) and have a ton of settings in one GPO
Rawme9@reddit
This is how we did it when I worked for a company that heavily used GPOs. For example we had our Global GPO that applied some baseline security settings to all computers, then get more granular as needed. No need to stick EVERYTHING into one policy, but similar things can hang out together
ohioleprechaun@reddit
I always grouped them by subject. e.g. Chrome Settings, Edge Settings, Windows baseline, etc. You want to try and keep the overall number of GPO that apply to a device down as too many will impact login times. Just make sure you are not disabling inheritance or using enforcement liberally and you should be fine.
peteybombay@reddit
Item level targeting will get old, I would just apply policies to OUs, but be mindful of inheritance.
I would create a "Default Domain" policy and a separate Password Policy at the root with common settings you want applied everywhere, then more specific GPOs in different OUs for User, Server, Workstations, etc.
Having a million different GPOs applying to your users would have an impact on logon times, but having a million items in a single policy may could also cause problems too...but I think that would have to be a pretty big policy, so I tend to break them up more.
Not to mention, using different policies can sometimes have identical settings in conflict with each other, it's also simpler to use fewer policies.
chrisr01@reddit
I personally like to do them one at a time, helps when stuff breaks to know what policy you enacted broke things.