Announcement

Collapse
No announcement yet.

How can I split a huge monolithic GPO?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How can I split a huge monolithic GPO?

    Hi,

    I just took over a Server 2003 DC at a new client and I discovered that every GPO setting is all in the Default Domain policy. How would I go about separating the single GPO there into smaller ones, such as:

    Desktop restrictions
    Folder redirections
    Security stuff

    Does anyone have a view on whether it is better to either
    (A) Have all policies in one GPO and use filtering or
    (B) Have policies in reasonably sized smaller ones and apply them to OUs in which we put the users and/or computers?

    I think I want to go for (B) as that is the way I've done it in the past and I think a monolithic one is unwieldy, but I would like your view if you think otherwise.

    Thank you.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: How can I split a huge monolithic GPO?

    I guess everything has its place but I think B is easily the winner from your choices.
    A good naming and OU structure with gpos applied to these.
    Also good to redirect new computers/users to specific OUs and apply policies to these as well.
    Personally I always like to keep the security ones separate but usually this is determined on the site as other aspects may come into play. My 2 cents anyway.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: How can I split a huge monolithic GPO?

      Yup, that's what I reckon too. Do you know how I would best go about splitting the monolithic GPO into a few smaller ones?
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: How can I split a huge monolithic GPO?

        If everything affects everything then it will probably be a long process as you want to separate them onto OUs. I would copy it and then clean out the default domain policy so it is standard. Then spend time deciding which ones you want to keep. The GPMC makes it much easier to see the current settings. Then enable the new ones and disable the main one to test.
        I don't know of a good way to export only certain entries.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: How can I split a huge monolithic GPO?

          Yes, I thought that the answer would be "Hard Work" ! Your idea of making a copy and starting with that is a good one.

          So I will roll up my sleeves and get started....

          Thanks for your input.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: How can I split a huge monolithic GPO?

            At least you will know the structure inside out, which will be a good thing
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: How can I split a huge monolithic GPO?

              Make several copies and delete different bits from each...


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: How can I split a huge monolithic GPO?

                Thanks, Tom, think that is the best approach.
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment

                Working...
                X