Best practices in working with Group Policy Objects for Windows Vista

If a setting in a GPO is set to Not Configured in a policy higher up, the existing setting remains. However, if there are conflicts in configuration, the last GPO to be applied prevails. For example, if a conflict exists in a Site GPO and in an OU GPO, the settings configured in the OU GPO will "win."

If multiple GPOs are applied to a specific AD Object, such as a site or OU, they are applied in reverse of the order they are listed. The last GPO is applied first, and therefore if conflicts exist, settings in higher GPOs override those in lower ones. For example, if a Contacts OU has the following three Group Policies applied to it, and they appear in this order (as shown in Figure 22.7) the policies will be applied from the bottom up:

The Contacts Temporary Policy will be applied first. The Contacts Software Policy will apply next, and finally the Contacts Default Group Policy will be applied. Any settings in the Contacts Default Group Policy will override the settings configured in the two policies below, and the settings in the Contacts Software Policy will override any settings in the Contacts Temporary Policy.

Figure 22.7

Where to Link GPOs

Administrators will quickly find that it can be very confusing to determine what GPOs are applied to a given user or computer and which aren't. One way to reduce this confusion is to try to eliminate questions of security filtering and policy inheritance overwrite whenever possible. This is to say that in many cases, it's best to push the application of a GPO as far down the hierarchy as is possible. This may result in the same GPO being linked to multiple locations.

Utilizing WMI Filtering

Linking WMI Filters enables you to apply group policies and establish their scopes based on attributes of target computers. You can do this by using the WMI filters to query the WMI settings of the target computers for true/false and apply group policies based on the true/false WMI queries. A "false" on the target computer results in the GPO not being applied. Conversely, a "true" results in the application of the GPO.

Because WMI filters are separate from GPOs, they must be linked to GPOs in the GPO Scope tab to function properly. Only one WMI filter can be applied to each GPO. Additionally, WMI filters will work only on Windows XP and later workstations, not Windows 2000 or before, or non-Microsoft operating systems.

Rolling Back Bad Ideas

Most administrators will experience a bad idea GPO at least once in their career. Sometimes settings that seem innocuous will cause problems, or perhaps an administrator will try to save time and link a GPO that hasn't been fully tested. In these cases it's necessary to quickly revert to an older version of a GPO. Unfortunately, there isn't a native method for rolling back a GPO; however, a few simple administrative tasks can allow for a quick restore to a known good GPO.

The key to being able to quickly revert from a bad GPO is to ensure that GPOs are always backed up and that they are always given a descriptive name.

Let's take as an example a GPO that we'll call Disable BITS Peercaching. It has a simple setting that disables BITS Peercaching. We've followed our first rule and given the GPO a descriptive name. We'll back up this GPO with the following steps:

1. From within GPMC, right-click the GPO and select Back Up.
   
2. Click Browse and choose the location where you will store your GPOs.
   
3. Enter a description that explains the last set of changes and the date that it was saved; click Back Up.
   
4. When the backup is completed, click OK.

1. Select the GPO you want to revert, right-click, and choose Restore from Backup.
   

   NOTE You can use the View Settings button when highlighting a backed up GPO to review the settings of that GPO in an XML format. This can be helpful if you just want to see what the old version of the GPO was and not actually restore it.

2. The Restore Group Policy Object Wizard will launch. Click Next.
   
3. Click Browse and navigate to the location where the GPOs are saved. Click Next.
   
4. In this screen, you will see all GPOs that have been backed up with a description and a time stamp. Select the version of the GPO you want to restore and click Next.
   
5. Review the summary information and click Finish.
   
6. When the GPO has successfully restored, click OK.

Summary

As we've seen, Vista has brought with it many changes to the available GPO settings as well as to the way in which they are stored and managed. We've seen the necessity of carefully managing and maintaining GPOs and have discussed ways to troubleshoot GPOs should any problems occur.

Always remember to carefully delegate who can create GPOs and who can link them. This will make it much less likely that you ever deploy a GPO that can cause problems for your users. Always try to do a peer review of a GPO before it's linked, and always first link it to a test OU to make sure it has no unintended effects.

Keep these things in mind, and GPOs will help you more easily maintain your Vista community.

GROUP POLICY BASICS FOR WINDOWS VISTA

 Home: Introduction
 Tip 1: A basic primer on Microsoft Group Policy
 Tip 2: How to configure GPOs
 Tip 3: What's new in Vista Group Policy?
 Tip 4: How to manage GPOs
 Tip 5: Troubleshooting GPOs for Vista
 Tip 6: Group Policy best practices
ADVANCED GROUP POLICY FOR WINDOWS VISTA
 Home: Introduction
 Tip 1: Which GPOs are available
 Tip 2: Further understanding GPOs in Vista
 Tip 3: Examples of useful GPOs in Vista
 Tip 4: Moving policies between domains
 Tip 5: Recommended practices with Vista Group Policy