RE: [ActiveDir] Group Policies

[Tony Murray]

I’ve seen some environments that have gone slightly policy-mad and create GPOs by the truckload.  This can create performance issues, including slow startup and login.  I saw a web cast a while back from the product team and they made the point that it’s not so much the number of policies that typically affect performance, but instead the number of settings the client has to process.  Most of the time these are one and the same thing, but I have seen a tendency for organisations to be over-enthusiastic when configuring policy settings.  If there is no specific need to configure a policy setting then it should be left at “not configured”.   Another tip to improve performance is to disable the portion of the GPO that is not used.  For example, if you have a GPO that is linked to an OU containing computer objects, disable the user portion of the GPO and vice versa.   As Darren says, keeping it simple is the key.   Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, 25 January 2006 7:52 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Policies   The best answer is that it really depends upon:   --what you're doing in your GPOs --how available/reliable/performant your network is --how you've delegated GP administration     --more granular delegation typically results in more GPOs   My obvious advice is to always keep the implementation as simple as possible to achieve your goals. Generally speaking, the more GPOs, the more chance of something going wrong, the longer a particular computer startup or logon takes,etc. One thing I would say is that make sure that whatever is in your test environment is the same as what you have in prod. Changing or consolidating policy as you're moving into production is probably not a good idea. Also, stay away from implementing policy that is compute intensive, such as the file system and registry security policies. Creating file or registry security policy that permissions large trees is not a good idea.   All that being said, there is no magic number but if you have a small-ish environment without a lot of variation in desktop configuration, and you have 100s of GPOs. that's probably too many :). In a large organization, 100s of GPOs is not unheard of.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Williams Sent: Tuesday, January 24, 2006 9:23 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Policies How many group policies are considered too many? Is there a good average to shoot for? Should they be consolidated into one policy after testing?   Thanks   Mike Michael P. Williams Information Technology Carlyle Van Lines 801 West Young Warrensburg, Missouri 64093 (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com   This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.