RE: [ActiveDir] Best practice GPO's

[Darren Mar-Elia]

Dan- The decision to separate out policy settings into different GPOs should be made based on who will be managing those GPOs. If you have separate teams or people that need to manage WSUS settings but not LCS settings, then it will be easier to delegate access to those settings if they are in separate GPOs. However, if not, then your overriding goal is to generally keep the number of GPOs to a minimum number that meets your business needs. If you take the "separate GPO for each setting type" approach, you will quickly have hundreds of GPOs over time. So let the management of the GPOs drive how granular or monolithic you make them.   Also, one quick point on your comments below. You talk about placing all these policies in a created OU called "GPOs". GPOs don't reside in OUs. They can be linked to OUs, but they are stored per-domain and don't need to be linked to anything to be managed. This is where using the GPMC to manage your GP infrastructure comes in handy, because it shows you all GPOs defined in a domain, and then it shows you the links to those GPOs on a per-container basis.   Darren     Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cariglia, Daniel Sent: Wednesday, May 24, 2006 8:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Best practice GPO's Hello,               What is the best practice for applying policy in AD?  Currently we create a GPO for every separate “policy” we want to apply (WSUS, DNS search order, LCS and so on…) and we place all these policies in a created OU called “GPO’s” and link that to different OU’s as needed.  My question is are we better off to stay with this method or should we limit the number of GPO’s and combine policies into one GPO?  For example should we take the policy settings from WSUS, DNS and LCS and put them into one (1) GPO instead of the three (3) separate policies that are currently being applied?     It seems easier to manage them when they are separated by function. I am curious if I am missing something that will cause issues down the road as the numbers of policies will most likely increase significantly in the future as we try to reign in the desktops and the users.  Thank you in advance for all responses.   Dan