Managing Group Policy Objects (GPOs) is a challenge for administrators because most environments have hundreds of policies applied at all levels of the Local, Site, Domain, Organizational Unit (LSDOU) architecture with intentions to accomplish business goals.
Thus, follow these rules when creating GPOs
- Make them modular
- Make them descriptive
These two rules work hand-in-hand to reduce your administrative overhead.
Modular GPOs
Configure a few highly related settings in a single GPO. Typically, I see administrators generate a “master” policy at the root level (often the domain default GPO) and configure it for dozens of settings: browser titles, firewall rules, maybe some control panel restrictions, etc.
A GPO is not particularly transparent, so you would need to click settings to see what is being configured – this a labor intensive action. If there are many policies applied to an object, you would have to view the settings on each GPO. Complete waste of time.
By creating Modular GPOs you are, in essence, creating re-usable tools, which can be applied to any level of the domain. For example, create a policy that specifically sets the title bar of Internet Explorer to “provided by ABC Corporation”. That’s all it does. If you ever need to assign that policy elsewhere, you know exactly what it will do and avoid replicating the same work elsewhere (by setting the configuration in multiple policies), or causing conflicts with additional unwanted policies.
Descriptive GPOs
Adhere to a specific, clearly defined naming policy. The naming structure that I have discovered works best is:
[Type Code] [Major Function] – [Description] (Modifiers)
Example: A policy written to lock a workstation after 10 minutes, has loopback enabled, and is designed to be applied to computers reads
C Screensaver – Lock After 10 Minutes (Loopback)
I’ll go over what each section means:
- Type Code – This is the type of policy, or “what will this policy apply to or modify?”
- C = A computer configuration
- U = A user configuration
- S = Software installation
- P = Printers
- D = Drive (mapping)
- X = Test policies, warning to not use in production
- Major Function – This is a one word function of the policy. In the example, I use “Screensaver” to describe that the policy is going to make a change to the screensaver.
- Description – A brief description of what the policy will do to the Major Function. I usually limit the description to 5 words.
- Modifiers – An area to put in special modifiers that the policy has. I commonly use
- Loopback – Loopback processing enabled.
- ILT – Item level targeting.
- Filtered – Filtered to a specific security group.
- Remove – Removes what is stated in the Description section.
- Default – The Description has been to set to default (normally used with printer mapping).
A focus on modular policies with descriptive naming is key to managing GPOs in any environment size. These two rules will reflect a direct reduction in operational expenses (OpEx) from the IT budget.