A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network. Download FREE
trial
12 Tactics for your battle with Microsoft's Group Policies
Here are a dozen tactics to help you configure, create and plan your Group Policies. What never ceases to amaze me is how long it takes to finalize your Group Policy settings. Therefore,
even if only 2 or 3 ideas are suitable for your
particular Active Directory implementation then, still feel it is worth your time in checking my tips list.
As an MCT trainer, I can thoroughly recommend TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Group Policy or go for
a combination of modules.
See more about Group Policy training here
0) Get the GPMC (Group Policy Management Console)
This tip is so simple that I almost forgot, make sure that you
get the GPMC from Microsoft's site. This interface transforms configuring and troubleshooting Group Policy settings in Windows Server 2003.
The most important tactic is stunningly simple. Create your
policies before you roll out your (XP) clients. So many
companies introduce wonderful group polices months after the new desktop
roll-out. Instead of amazing their users with the excellence of their
policies, all they get is is resentment because people are suddenly denied
features they like and have become accustomed to.
'Barking' Eddie convinced one group of users that their company that had
bought a special edition of XP, and that's why there were so few settings.
You and I know that it was just Group Policies applied cunningly to a
regular edition of XP.
2) Create a test OU. Create a trial Organizational Unit
for your Group Policy experiments. Naturally, create test users and a
test computer and make sure they are in the OU you where you trial your
policies. The number one trap with Group Policies is creating the GPO in one OU and expecting the settings to be effective for users in a different OU. Just when you finish laughing about that
absurdity, you fall into the same trap, but this time with computer policies.
Last week I had a new twist, a network manager who was applying Group Policies to a group that were based in a different
OU from their users.
3) Favour one policy with lots of settings. Avoid zillions of
policies each with one setting. In my opinion a user should be the subject of no more than a dozen group policies, otherwise troubleshooting
becomes complex. Other disagree, and say that Group Policies work fine although their users are in about 50 Group Policies. Technically, it does not make any difference to logon time. What slows down logon is the number of
individual settings, not the number of policies. I say again, it's tracing unexpected effects that becomes a nightmare, GPMC is great, but if you have to wade through 50 combinations it is difficult
to keep them all on screen.
4) Be on the lookout for positive Group Policies. For example a simple 'Enable
Logoff' to tidy up the computer. The pre-configured proxy settings will save you a great deal of configuration work. For a touch of class, experiment with 'Pre-Populate printer
locations'. My tip is keep your eye out for policies which will
improve your user's experience and save them time.
5) Find the Group Policy Backup Menu From
time-to-time backup your Group Policies. Not only will backup protect your precious policies, but also it will enable you to import and export to and from your test domain. When you
backup, remember to start at the Group Policy Object container, which is right at the bottom of the GPMC.
Trap: What you see at the top and in the OUs is Group Policy short cuts; unlike the
real policies in the Group Policy Object containers, these do not have have Backup available on the properties menu.
6) Use the 'Enforce' and 'Block Inheritance' sparingly. Both 'Enforce' and 'Block Inheritance' are excellent tools for
troubleshooting, but if you over-use them in a production domain the cause more problems than they solve. Enforce was called 'No Override' in previous versions of Windows.
°
7) Deny Group Policies to Administrators. You will probably ignore this tip - until you lockout your Administrator account. Make it your reflex to amend the Security tab so that Administrators
are set to: Deny - Apply Policy. The risk is that you will 'shoot
yourself in the foot' with a really vicious policy, for example, deny the
right to logon locally. Just in case of a problem, create a full
administrator in special OU where you block inheritance and never apply any
policies at that location.
For the cautious, or truly paranoid, always keep a second domain controller running with the administrator logged on. The benefit is that if you do lock yourself out on the first DC
you can reverse the policy on the second domain controller. If all else fails, research your 'get out of jail card' - DCGPOFIX.
' Gpupdate.vbs ' VBScript to run Gpupdate ' Author Guy Thomas ' http://computerperformance.co.uk/ ' Version 1.3 - March 20th 2005 ' ------------------------------------
Option Explicit Dim objShell, intShortSleep, intLongSleep Dim strService Set objShell = CreateObject("WScript.Shell")
Make a batch file or script to run Gpupdate, I guarantee you will be clicking it a great deal in testing. Incidentally, Gpupdate replaces secedit in Windows 2000. Probably the most useful
switch is the Gpupdate /force. See opposite for a Gpupdate VBscript which you can copy, paste into notepad and save onto the desktop with .vbs extension.
9) Document your Group Policy settings. If you are serious about Group Policies then document the settings. An Excel spreadsheet
would be an ideal vehicle to hold all the information. In fact, a spreadsheet containing all the builtin Group Policies is the killer feature of my ebook.
10) Favour the user settings rather than the computer policy settings. Where there is a 50: 50
decision to apply a policy setting to a computer or a user, then favour the user configuration. The other benefit is that you tend to keep all the policies in one area and so make
troubleshooting easier.
11) Assign Software rather than Publish. No-one is going to find
your lovely programs by going to the Add or Remove Programs. The other
benefit is that assigning software uses elevated rights for the
installation.
12) Assemble your team. Of all the computer configuration tasks, Group Policies provide the most fun. To have the most fun, and to
get the most out of group policies, assemble an official or even unofficial team. 'Playing' with Group Policies works best when you have different personalities, 'Mr Nasty' locking down the desktop, 'Mr
Nice' assigning software. The character who is most difficult to find is 'Mr Vision', someone who can picture what the final desktop should be like.
As an MCT trainer, I can thoroughly recommend TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Group Policy or go for
a combination of modules.
See more about Group Policy training here
