News Stay informed about the latest enterprise technology news and product updates.

8. Tips on group policy management

The no. 8 Ask the Expert question of the year, based on page views.

We know that managing the desktop environment is made very flexible by the use of group policy. But I fear that poor design and management of Policies could lead to an administrative burden that outweighs the benefits of the 'keep it simple' approach.

Regarding control of desktop features and user permissions using group policy objects, do you have a set of top three (or more) dos and don'ts for design implementation and management of group policy?

This question posed on 15 May 2002

I'm curious as to what you mean by group policy's poor design. I've encountered few design flaws in group policy itself. Group policy definitely beats the keep-it-simple approach to management, since the keep-it-simple approach really means unmanaged. Consider the cost savings of standardized configurations and restricted users versus the administrative burden, which essentially translates to "it's too hard." If it's too hard, then you're doing it the wrong way.

My top three tips are these: (1) work from a plan, instead of sitting down in front of Active Directory and hunting down policies, (2) limit what you manage at the top of the directory to important corporate-wide policies (think password policy, security policy) and delegate down less important policies, (3) prioritize policies; then, implement the high priorities and let the rest go.

There's plenty of documentation for technology best practices, such as optimizing policies. You'll find most of those on Microsoft's Web site. One thing I like to do to make managing policies easier is to create focused GPOs -- such as a GPO that contains all of the settings necessary to implement offline files and folders, so that I can identify them easier, and I'm not duplicating policies across multiple GPOs (makes updating settings easier in the future). In other words, throughout an entire organization, I might have one Redirected Folders, one Locked Screen Saver, or one Office XP security GPO that I can link to different OUs.

Click here to read more of Jerry Honeycutt's answers to desktop administration questions or ask him a question.

Editor's Note: You can sign up to have free Active Directory administration tips delivered to your inbox every Tuesday morning.

Dig Deeper on Microsoft Group Policy Management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.