Direct Inward Dialing: +1 408 916 9892
Network security is jeopardized when Active Directory (AD) users overstep their boundaries and make unauthorized changes to their computers. With Group Policy, you can regulate users' work environments using the extensive collection of settings it features. For example, IT admins can restrict users from accessing Windows Control Panel applets, changing wallpapers, or deleting browser history by configuring the respective settings from a centralized location. This way, Group Policy provides granular control over what users can (and cannot) do on your network.
The organizational unit (OU) structure determines how Group Policy objects (GPOs) are applied in your directory. Segregate users and computers into separate OUs to simplify the application of user and computer policies. Always keep GPO linkage and troubleshooting in mind when creating new OUs.
Any settings configured in the Default Domain Policy will apply across the entire domain. So, configure only domain-wide policies like a password policy, account lockout policy, Kerberos policy, and account settings in this GPO. Similarly, use the Default Domain Controller Policy to assign user rights and configure audit policies for domain controllers. For all other policies and settings, create separate GPOs as required.
Newly created GPOs set at the domain level affect all users and computers in the domain. This can cause the settings intended for a specific set of users to be applied indiscriminately to all users. Therefore, apply all GPOs (except the Default Domain Policy) at the OU level for more granular control.
While linking GPOs to OUs, make sure to apply them at the root level to trigger GPO inheritance. This eliminates the need to apply the same settings to subsequent child OUs. You can also isolate users and computers from inheriting a policy by adding them to a separate OU and blocking inheritance.
The GPO name should describe its purpose and who it applies to. Use naming conventions to distinguish between the GPOs applied to users and computers. For example, adding "U" at the beginning for user policies and "C" for computer policies will avoid confusion when making changes to the respective GPOs.
When user and computer policies are configured in separate GPOs, disabling the unused configuration helps improve your desktop performance. For example, if a GPO has only computer settings configured, you can disable the user configuration to accelerate GPO processing during logon.
When a GPO is linked to multiple OUs, disabling it in one OU will disable its application across other OUs as well. Instead, remove its linkage by deleting the link in the concerned OU and prevent the settings from being applied.
Linking GPOs higher in your AD hierarchy and using security or WMI filters to target those GPOs can slow down the processing time. So, utilize GPO filtering only when necessary and link GPOs as close to the intended target as possible to reduce complexity.
Although large GPOs that contain many configured settings are processed faster during logon, they make troubleshooting extremely difficult. So, during creation, don't cram too many settings into a GPO. Instead, strike the right balance and divide the settings between a good number of GPOs to simplify their deployment and management.
Over time, your Group Policy management can get out of hand when several admins start to modify GPOs. So, keep track of all GPO changes to ensure that any change made by users is in-line with your organization's security and compliance obligations.
Using native tools to keep tabs on GPO creation, deletion, and modification can be a tedious and time-consuming process for administrators. ADAudit Plus—a UBA-driven AD auditing solution from ManageEngine—provides real-time reports on changes made to your GPOs along with GPO history, which includes the old and new values of the modified attributes.
Download a free, 30-day trial.
