+1 on the "one GPO, one function" rule. I apply it to security groups as well. Nothing worse than deleting something and finding it does something other than "what it says on the tin" - as I found when I removed a distribution group only to realise it had been used to provide permissons (!) on an intranet site.
Good descriptions will go a long way too. I try and show from the name/description what a GPO does, what scope of users/computers it applies to, and whether there is any item-level targeting. Makes it a hell of a lot easier for someone to follow your work when you finally leave. 2009/8/7 Ken Schaefer <[email protected]> > I’ve worked in organisations with tens of thousands of users (currently on > a project to migrate around 100,000 users to a consolidated AD), and they > consequently have many, many GPOs. A good naming convention is pretty much > all I’ve seen that is needed. Splitting GPOs up so that they only do one > particular thing (e.g. software distribution, or admin settings) is a good > start. You may wish to separate computer and user settings as well. > > > > Then you can have (for example) > > > > Software-Computer-ApplicationName.VersionNumber > > > > For all your software GPOs that apply by computer. All of the software > related GPOs are grouped together, and then by computer or user, and then > they are sorted by application name and version. Relatively easy to find. > > Now, you might have a lot of apps distributed this way, so you’ll want some > GPOs that distribute common groups of apps, and you can create those GPOs as > well. > > > > For your WSUS building thing: > > > > Admin Settings-Computer-WSUS-SiteCode1-L1 > > Admin Settings-Computer-WSUS-SiteCode1-L2 > > Admin Settings-Computer-WSUS-SiteCode1-L3 > > Admin Settings-Computer-WSUS-SiteCode2-L1 > > > > Would sort those in a manner that would be relatively easy to locate things > in. > > > > Cheers > > Ken > > > > *From:* tony patton [mailto:[email protected]] > *Sent:* Thursday, 6 August 2009 6:40 PM > *To:* NT System Admin Issues > *Subject:* RE: GPO for a single user > > > > That's what we do, but different conventions over the years as things > increase just gets messy. > > We have policies for different departments/sites, production/test, software > installs/reg changes, wsus, desktops/servers, etc. > The majority of settings are in the default policy, but there are a lot > that are not. > > For WSUS, I wanted to split up the buildings on each site by IP range to > distribute the installation to different departments. > An example of this is 1 department requires IE7 for a webapp, but another > department's webapp is only supported by the vendor on IE6. > There is very little cross-contamination of departments within the same > section of the buildings. > > I started with the most recent office opened, 3 floors, 6 IP ranges, so I > ended up with 6 GPO's and 6 WMI filters just for the target group in WSUS. > Did 1 more site with 4 scopes and never got round to doing the rest of > them. > The ranges are from 2 to 11 different IP ranges across 8 sites. > > A lot of moving about to check different settings, just would be nice to > have OU's for gpo's and wmi's, just for visibility, easier to see all the > related policies without everything else. > Thought something like this would have made it into WS08, but unfortunately > not, not that we'll be upgrading anytime soon, there was a project in motion > to do this but it's been side-lined for one reason or another, think it came > down to having to purchase new cals for 2800 desktops, not 100% sure. > > Regards > > Tony Patton > Desktop Operations Cavan > Ext 8078 > Direct Dial 049 435 2878 > email: [email protected] > > *Ken Schaefer <[email protected]>* > > 06/08/2009 10:16 > > Please respond to > "NT System Admin Issues" <[email protected]> > > To > > "NT System Admin Issues" <[email protected]> > > cc > > Subject > > RE: GPO for a single user > > > > > > > Most people use a naming convention to have the list sorted, and this tends > to “group” the GPOs. > > What sorts of things are you imagining for grouping? > > Cheers > Ken > > *From:* tony patton > [mailto:[email protected]<[email protected]>] > * > Sent:* Thursday, 6 August 2009 4:02 PM* > To:* NT System Admin Issues* > Subject:* Re: GPO for a single user > > I'd just be happy with a way to organise GPOs and WMI Filters, instead of a > big flat messy list of both. > > It would be nice to have them grouped in some logical fashion. > > Regards > > Tony Patton > Desktop Operations Cavan > Ext 8078 > Direct Dial 049 435 2878 > email: [email protected] > > *Ben Scott <**[email protected]* <[email protected]>*>* > > 05/08/2009 18:14 > > > > Please respond to > "NT System Admin Issues" <[email protected]> > > > > To > > "NT System Admin Issues" <[email protected]> > > cc > > Subject > > Re: GPO for a single user > > > > > > > > > > > On Wed, Aug 5, 2009 at 1:02 AM, Ken Schaefer<[email protected]> wrote: > > Sorry, but I'm failing to see why this particular feature request > > is one that should go in, but inevitable requests for additional > > extensions to the functionality should not :-) > > Because I said so, of course. ;-) > > To me, it's a combination of the zero-one-infinity rule, and a more > fuzzy concept that I'm finding hard to articulate, but has something > to do with the fact that it makes sense to be able to apply things > individually or in groups. We already have a mechanism for groups, > but nothing for individuals (except a degenerate case of groups). I > guess I'm thinking along the lines of HKCU vs HKLM registry settings, > or /etc/profile vs $HOME/.profile for the Unix shell, etc. Like I > said, I'm having trouble articulating this, but I'm pretty sure > there's a difference. (I have a reason. Just give me a minute to > think of one. ;-) ) > > Come to think of it, it probabbly would have made more conceptual > sense for the design to have GPO application be driven by groups to > begin with, with OUs being irrelevant for GPOs. We end up applying > GPOs based on group membership a lot anyway, so why not just make that > how it works? (I realize that may have been a performance issue, or a > code maintenance issue due to all the crufty old NTLM code that > still's around. I also realize this is 20/20 hindsight.) > > -- Ben > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
