We know that managing the desktop environment is made very flexible by the use of group policy. But I fear that poor design and management of Policies could lead to an administrative burden that outweighs the benefits of the 'keep it simple' approach.
Regarding control of desktop features and user permissions using group policy objects, do you have a set of top three (or more) dos and don'ts for design implementation and management of group policy?
This question posed on 15 May 2002
I'm curious as to what you mean by group policy's poor design. I've encountered few design flaws in group policy itself.
My top three tips are these: (1) work from a plan, instead of sitting down in front of Active Directory and hunting down policies, (2) limit what you manage at the top of the directory to important corporate-wide policies (think password policy, security policy) and delegate down less important policies, (3) prioritize policies; then, implement the high priorities and let the rest go.
There's plenty of documentation for technology best practices, such as optimizing policies. You'll find most of those on Microsoft's Web site. One thing I like to do to make managing policies easier is to create focused GPOs -- such as a GPO that contains all of the settings necessary to implement offline files and folders, so that I can identify them easier, and I'm not duplicating policies across multiple GPOs (makes updating settings easier in the future). In other words, throughout an entire organization, I might have one Redirected Folders, one Locked Screen Saver, or one Office XP security GPO that I can link to different OUs.
Editor's Note: You can sign up to have free Active Directory administration tips delivered to your inbox every Tuesday morning.