Hi all, I've been working with Active Direcotry for the past 8 years or so and I've never seen this before. Someone in our organization is currently pushing for a GPO per server approach which doesn't feel right in my mind. I've always defined my GPO in the past making sure to "group" common parameters at the top of the OU structures and applying exceptions with smaller GPOs using security filtering. Here, it's the complete opposite. At term, we would have next to 2000 servers in that domain. I'm estimating that we would have at least 3000 GPOs (1/server + any exceptions). Of course we would use new features from 2k8 to reduce the load on replications (dfs-r) and space requirement (central store, removal of .adm) but still... I don't feel like its a good way to go. I wont go into the detail of how they will enforce a RBAC model into this. (imagine one group per permission per server). They are creating at least 25 different groups for each server at the moment, this number will raise as new permissions requirement will come. I've seen GPO per server approach in small business, but for and enterprise wide solution, I believe that the management of this will become a huge mess in the future. I got headache just to think about the management of the GPOs, even if we're planing to use AGPM and/or other tools. I'm I the only one that feel that this is wrong?? Thanks
No announcement yet.
GPO per server basis