Announcement

Collapse
No announcement yet.

GPO best practices & GPO Filtering

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO best practices & GPO Filtering

    First, I have been reading alot of forums about the best practice of GPO deployment. Some people say use 1 GPO for all settings and others say separate GPO for each setting. I was taught originally to group specific sets of like settings into 1 GPO and do this for each group of settings you want to enforce. In relation to software deployment, is it better to deploy 1 app per GPO or use only 1 GPO for all apps (or 1 for comp & 1 for user GPOs)?

    Secondly, I applied a GPO yesterday to redirect my users' My Documents folder to a network drive and to synchronize the folder on logon/logoff. As I was looking at the "real life" scenario of that GPO, I noticed that some of my users were getting the redirection policy, but the synchronization was not turned on. Others were receiving the policy, but when I ran a gpresult the policy was filtered... How do policies that are enforced and applied get filtered?
    Last edited by emjtech; 8th September 2005, 13:31.

  • #2
    Re: GPO best practices & GPO Filtering

    Hi emjtech,

    It's true that there are many methods for GPO deployment. In my own experience, I would group GPOs based on their functions. For example, GPO for GUI, security, mandatory settings (loopback), application deployment wireless ... I name GPOs by their function and scope as well. Examples are Site01.GUI.Student.GPO1, Domain02.Security.PKI.GPO2 ...

    I also limit not to have many settings in a GPO as well. If conflicts occur, it would be easier to troubleshoot.

    There are arguments of the replication traffic per GPO as well. In fact, the sizes of a GPO template from XP SP1, XP SP2 on Windows 2000 and Windows 2003 are different as well. They range from 1.8MB to 3.2 and 3.4MB. The "fix" that I've been using to overcome that issue is to create "thin" policy ( with settings that don't belong to Administrative templates). Let me describe shortly of how I create thin policy: run mmc, create new GPO, link to target (site,domain,OU), remove admin template in mmc, locate GPO under sysvol and set adm folder to deny everyone from writting to it. (if you need more in details, I'll post later). So the size of each "thin" policy is about 1K to 4K max

    Regarding folder redirection, I use this setting "Always wait for network to be ready" so user don't have to log off and log on for couple of time to get it to work.

    Others were receiving the policy, but when I ran a gpresult the policy was filtered
    If you can specify more details, it would be great because I'm a little confused on this. Thanks

    Regards,
    Last edited by azmantek; 8th September 2005, 05:21.
    Teamwork

    Comment


    • #3
      Re: GPO best practices & GPO Filtering

      Thanks for your feedback. In regard to needing more info:

      I have created and linked a policy which redirects the My Documents folder to a network share and then synchronizes that folder with the local My Documents folder at logon/logoff. I ran gpupdate from command line on a sample user's machine and then ran gpresult. It appeared under the user's settings but was listed under "The following GPOs were not applied because they were filtered out". I am unaware of how GPOs that are enforced are filtered out, unless somehow I have a higher GPO that is contradicting the filtered GPO, in which case, that would make sense.

      Comment


      • #4
        Re: GPO best practices & GPO Filtering

        Filtered means that there is a security setting prohibiting application of the policy. Check the permissions of the GPO link, perhaps Auth Users was removed, or has a deny 'apply policy'

        Comment


        • #5
          Re: GPO best practices & GPO Filtering

          Hi emjtech,

          wkasdo has pointed you the right direction of why the GPO filtered out. If we could get more information about your domain set up like: is it a test domain and you are the only admin? Have you been playing with GPO permission? WMI filter?, we'll be able to help you further.

          Regards,
          Teamwork

          Comment


          • #6
            Re: GPO best practices & GPO Filtering

            Here's what I have found and then I have another question for you...

            I figured out why the policy was filtered out for the user... because the policy didn't have any user settings, only computer settings.

            i am going to create a new post with my new question...

            Comment

            Working...
            X