Group Policy Linking

Brass Contributor

Hey Team, 

 

Quick question on group policy links and group policy placement. Better to use an image than trying to type this all out. 

 

This is my domain root here:

 

Domain GPO.PNG

As you can see I have several GPOs configured. For instance, "Configure Offline Files" I have it currently set to "Link disabled". In its current form, if link was set to enabled: 

 

1) Like a standard GPO, since its applied to the domain root, unless otherwise filtered out, it would apply to all computers in the environment ? 

 

2) Can I just leave all the GPOs enabled and then using security filtering, only allow the GPO to be applied to servers in a certain security group ? or user group ?

 

3) Or is it better to just not link to many GPOs to the Root of the domain and just link them to the OUs (as I have done for my Exchange Servers). 

 

I want to improve my understanding of GPO design and am hoping for some good answers. 

 

Robert 

 

2 Replies

Just my thoughts

 

Starting with 

 

3) Or is it better to just not link to many GPOs to the Root of the domain and just link them to the OUs (as I have done for my Exchange Servers).  

I think it is best to have only the default domain policy on the root and nothing else. So the exchange example you use is the best solution for me.

 


2) Can I just leave all the GPOs enabled and then using security filtering, only allow the GPO to be applied to servers in a certain security group ? or user group ?


When a GPO isn't enabled I make a backup and delete it. This keeps my view clean and makes it easier to trouble shoot and yes I think that using security groups is better then disabling teh GPO. 

 

Hope this gives you an idea

 

With Regards

 

Gregor

 

Thanks Gregor. I don't work with GPOs on a daily basis so I tend to forget. But as long as I have the basics, down I think I will be fine. 

 

The documentation I read says that you can filter out who a GPO applies to by using "Security Filtering" and/or Delegation (The delegation Tab) in GPMC. 

 

Do you often do that? Or do you just control who a GPO applies to by linking the desired GPO to the desired OU? It seems like you do it that way. I am just trying to make sure I understand many of the In's and Out's of GPO design. 

 

Thanks, 

Robert