Darren, Great info: I have grown concerned about our environment as well. We have over 27 different organizations within our AD, and possibly 50 different delegations. We normally allow 4 GPO's per delegation, so we could be seeing this issue in the future as well.
Thanks, Todd -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, November 27, 2004 10:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and Sysvol size Darren, Yep - this helps a ton. This is what I was looking for - first, this type of guidance, and second - something I was completely unaware of. One thing that I failed to mention that you still provided an answer for is that our domains are not yet on 2k3, and the size of the Sysvol became an alarm issue that I raised with the team that is doing the upgrades. However, I still have the interim solution, and the solution to implement once the domains are upgraded. Thanks - much appreciated! -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Saturday, November 27, 2004 1:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and Sysvol size Rick- As you probably noticed, within each GPO that implements Administrative Template policy, the ADM files are stored in the SYSVOL portion of that GPO. If you notice the size of those collective ADMs, especially after SP2 came out, each GPO can have well over a meg of ADM files stored in SYSVOL. Windows 2003 supports the ability to edit GPOs without looking for the ADMs in SYSVOL. So you would basically delete all of the ADMs from all of your SYSVOL replicas and then enable the policies described here. There are two policies related to this. The first disables the automatic updating feature where a workstation that is editing a GPO automatically uploads its ADM files if they are newer than or are not found in SYSVOL. If you disable this automatic updating on all workstations that might try to edit GPOs, you can keep new ADMs from being copied up. This policy is found at User Configuration\Administrative Templates\System\Group Policy\Turn off automatic update of ADM files The second policy only works when editing GPOs from Windows Server 2003, but it essentially tells any 2003 machine with the policy set, that when editing the GPO, only use the ADMs found in the %windir%\inf folder on that machine. This policy is found at Computer Configuration\Administrative Templates\System\Group Policy\Always use local ADM files for Group Policy Object Editor. Again, this one only works for Windows 2003--it doesn't work on XP. So, if you enable it, all GP editing has to be done from Windows 2003. The only other method I've seen is a more manual approach. You delete all ADMs from all SYSVOL replicas *except* the PDC role-holder. Then, you create a DFS filter on SYSVOL to not replicate *.adm files. Since the GP editor will always default to the PDC emulator by default, you will be able to edit your GPOs as normal, since the ADMs will still be on the DC you're focused on. However, if the PDC role-holder is down or an administrator attempts to focus on a different DC for GP editing, well, then they won't see any Admin. Template policy options when they open a GPO. Hope that helps Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, November 26, 2004 8:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO and Sysvol size All - OK, I rarely ask questions here (and, haven't been posting many answers of late either...) I have a bit of a problem, and I know the answer, but the solution is much easier than the politics and the reality of it. Our Sysvol has grown to rather huge proportions with the acquisition of a few companies and our reliance on GPO to lock down and manage our desktop environments based on specific customer demands. I'll be the first to admit that there are too many hands in the admin role, but it's currently not a battle that I can win - unless I come up with a specific reason that folks should not have specific rights. Namely, in the current instance, it's the right to create GPOs. In the past 4 mos, I have gone from about 100 GPOs to about 450. In our environment, 450 GPOs is equal to about 650MB in Sysvol. Most of the GPOs are due to very specific need by customer requirement - the lockdown of a desktop because Customer A requires this, while the next shift is Customer B, who requires something else. In looking at the GPOs, there doesn't seem to me to be a real way to reduce or combine them to consolidate the sheer number. Certainly there can be optimizations, but I doubt that the total of the reductions will be of any real substance. What am I missing in all of this? What information would the other smart folks here need to help me technically and politically solve the problem? If you don't understand the breadth of the problem - ask. I can elaborate. TIA! Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
