Forum Discussion

Robert Bollinger's avatar
Robert Bollinger
Brass Contributor
Jun 08, 2018

Group Policy Linking

Hey Team,    Quick question on group policy links and group policy placement. Better to use an image than trying to type this all out.    This is my domain root here:   As you can see I h...
Active Directory
security
windows server
Gregor van den Berg's avatar
Gregor van den Berg
Copper Contributor
Jun 08, 2018

Just my thoughts

 

Starting with 

 

3) Or is it better to just not link to many GPOs to the Root of the domain and just link them to the OUs (as I have done for my Exchange Servers).  

I think it is best to have only the default domain policy on the root and nothing else. So the exchange example you use is the best solution for me.

 

2) Can I just leave all the GPOs enabled and then using security filtering, only allow the GPO to be applied to servers in a certain security group ? or user group ?

When a GPO isn't enabled I make a backup and delete it. This keeps my view clean and makes it easier to trouble shoot and yes I think that using security groups is better then disabling teh GPO. 

 

Hope this gives you an idea

 

With Regards

 

Gregor

 

Robert Bollinger's avatar
Robert Bollinger
Brass Contributor
Jun 08, 2018

Thanks Gregor. I don't work with GPOs on a daily basis so I tend to forget. But as long as I have the basics, down I think I will be fine. 

 

The documentation I read says that you can filter out who a GPO applies to by using "Security Filtering" and/or Delegation (The delegation Tab) in GPMC. 

 

Do you often do that? Or do you just control who a GPO applies to by linking the desired GPO to the desired OU? It seems like you do it that way. I am just trying to make sure I understand many of the In's and Out's of GPO design. 

 

Thanks, 

Robert

 

Resources