Pt 2 - Group Policy Planning Strategies

Group Policy Planning Strategies

Before implementing group policies, you should create a plan to manage them. You can plan your Group Policy settings, GPOs, and administrative control of GPOs to provide the most efficient Group Policy implementation for your organization. This lesson examines Group Policy planning strategies.

After this lesson, you will be able to Plan Group Policy settings Plan administrative control of GPOs Estimated lesson time: 15 minutes

Group Policy Planning Strategies

There are three parts to planning Group Policy:

• Plan the Group Policy settings necessary for computers and users at each level (sites, domains, and OUs).

• Plan the GPOs necessary for computers and users at each level (sites, domains, and OUs).

• Plan administrative control of GPOs.

Document your Group Policy plans. Accurate and organized documentation of the Group Policy settings and GPOs needed by your organization and the administrators who control the GPOs can help when you need to revisit or modify your Group Policy configuration.

Plan Group Policy Settings

There are over 600 Group Policy settings in Windows Server 2003. The best way to familiarize yourself with these settings is to look through them on the Group Policy Object Editor. You must plan the settings necessary for computers and users for each site, domain, and OU in your organization. Plan settings sparinglyjustify the selection of each setting as you would the creation of a domain or OU. Choose settings based on their ability to help you to simplify the administration of computers and users.

Planning GPOs

For each site, domain, and OU, you must determine how Group Policy settings should be arranged into GPOs. Base the arrangement of Group Policy settings on the users and computers that require them. You can arrange Group Policy settings in the following ways in a GPO:

• Single setting GPO Contains a single type of Group Policy settingfor example, a GPO that includes only security settings. This model is best suited for organizations in which administrative responsibilities are task-based and delegated among several individuals.

• Multiple setting GPO Contains multiple types of Group Policy settingsfor example, a GPO that includes both software settings and application deployment, or a GPO that includes security and scripts settings. This model is best suited for organizations in which administrative responsibilities are centralized and an administrator might need to perform all types of Group Policy administration.

• Dedicated setting GPO Contains either computer configuration or user configuration Group Policy settings. This model increases the number of GPOs that must be applied when logging on, thereby lengthening logon time, but it can aid in troubleshooting. For example, if a problem with a computer configuration GPO is suspected, an administrator can log on as a user who has no user configuration GPO assigned so user policy settings can be eliminated as a factor.

Exam Tip

Be able to determine how Group Policy settings should be arranged into GPOs based on the needs and requirements of an organization.

Figure 10-8 illustrates these GPO types.

Figure 10-8. GPO setting types

Because sites and domains are the least restrictive components of Active Directory, it isn't too difficult to plan site and domain GPOs. Just remember that site and domain GPOs are applied to all child objects as a result of Group Policy inheritance, unless Block Policy Inheritance has been set for the child object. The real challenge is determining the OU GPOs. To determine the OU GPOs, you must consider the OU hierarchy set up for the domain. In Chapter 6, "Implementing an OU Structure," you learned that there are three reasons for defining an OU: to delegate administration, to hide objects, and to administer Group Policy. You were advised that because there is only one way to delegate administration and there are multiple ways to administer Group Policy, you must define OU structures to delegate administration first. Recall that the OU hierarchy structure can reflect administration handled by location, business function, object type, or a combination of the three elements. After an OU structure is defined to handle delegation of administration, you can define additional OUs to hide objects and to administer Group Policy. So, if you've defined your OU structure to accurately reflect how your domain is administered, the next step is to determine which Group Policy settings must be applied to which users and computers in each OU. Basically, you can build GPOs by using a decentralized or a centralized design.

Decentralized GPO Design

With a decentralized GPO approach (see Figure 10-9), the goal is to include a specific policy setting in as few GPOs as possible. When a change is required, only one (or a few) GPO(s) have to be changed to enforce the change. Administration is simplified at the expense of a somewhat longer logon time (due to multiple GPO processing).

Figure 10-9. Decentralized and centralized GPO design

To achieve this goal, create a base GPO to be applied to the domain that contains policy settings for as many users and computers in the domain as possible. For example, the base GPO could contain corporate-wide security settings such as account and password restrictions. Next, create additional GPOs tailored to the common requirements of each OU, and apply them to the appropriate OUs.

This model is best suited for environments in which different groups in the organization have common security concerns and changes to Group Policy are frequent.

Centralized GPO Design

With a centralized GPO approach (shown in Figure 10-9), the goal is to use very few GPOs (ideally only one) for any given user or computer. All of the policy settings required for a given site, domain, or OU should be implemented within a single GPO. If the site, domain, or OU has groups of users or computers with different policy requirements, consider subdividing the container into OUs and applying separate GPOs to each OU rather than to the parent. A change to the centralized GPO design involves more administration than the decentralized approach because the settings might need to be changed in multiple GPOs, but logon time is shorter. This model is best suited for environments in which users and computers can be classified into a small number of OUs for policy assignment.

As mentioned in earlier chapters, planning your OU structure is key to the efficient application of Group Policy. Every additional policy that you apply increases the number of settings that the individual computers must evaluate. Planning your organizational structure so that you can apply as few group policies as possible to only those containers that require them is a key to improving startup and logon performance. You might even decide to create OUs for the purpose of applying a specific Group Policy. For example, if you have several computer accounts that require a specific configuration that is unique to only those systems, you may find it more efficient to create a separate OU in order to handle that special configuration.

Planning Administrative Control of GPOs

When you plan the Group Policy settings and GPOs to be used in your organization, you should also plan who will manage them. The appropriate level of administrative control can be delegated by using a centralized, decentralized, or task-based administrative control design.

Centralized Administrative Control Design

In the centralized design, administration of Group Policy is delegated only to top-level OU administrators. In the example shown in Figure 10-10, top-level OU administrators have the ability to manage all GPOs in the domain. Second-level OU administrators do not have the ability to manage GPOs. You can accomplish this by assigning Full Control permission to top-level OU administrators. This design is best suited for organizations that want to consolidate the administration of group policies.

Figure 10-10. A centralized administrative control design

Decentralized Administrative Control Design

In the decentralized design, administration of Group Policy is delegated to top-level and to second-level OU administrators. In the example shown in Figure 10-11, top-level OU administrators have the ability to manage GPOs in the top-level OU. Second-level OU administrators have the ability to manage GPOs in their second-level OUs. You can accomplish this by assigning Full Control permission to top-level OU administrators for the top-level OU GPOs and Full Control permission to second-level OU administrators for their second-level OU GPOs. This design is best suited for organizations that delegate levels of administration.

Figure 10-11. A decentralized administrative control design

Task-Based Administrative Control Design

In the task-based design, administration of specific group policies is delegated to administrators that handle the associated specific tasks, such as security or applications. In this case, the GPOs are designed to contain only a single type of Group Policy setting, as described earlier in this lesson. In the example shown in Figure 10-12, security administrators have the ability to manage security GPOs in all OUs. Applications administrators have the ability to manage applications GPOs in all OUs. You can accomplish this by assigning Full Control permission to the security administrators for the security GPOs, and Full Control permission to the applications administrators for the applications GPOs. This design is best suited for organizations in which administrative responsibilities are task-based and delegated among several individuals.

Figure 10-12. A task-based administrative control design

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in the "Questions and Answers" section at the end of this chapter.

1.	Describe a decentralized GPO design. ____________________________________________________________ ____________________________________________________________
2.	If administrative responsibilities in your organization are task-based and delegated among several administrators, which of the following types of GPOs should you plan to create? GPOs containing only one type of Group Policy setting GPOs containing many types of Group Policy settings GPOs containing only computer configuration settings GPOs containing only user configuration settings

Lesson Summary

• There are three parts to planning Group Policy: plan the Group Policy settings, plan GPOs, and plan administrative control of GPOs.

• Plan Group Policy settings sparinglyjustify the selection of each setting as you would the creation of a domain or OU. Choose settings based on their ability to help you to simplify the administration of computers and users.

• You can build GPOs by using a decentralized or a centralized design. A decentralized design uses a base GPO applied to the domain, which contains policy settings for as many users and computers in the domain as possible. Then this design uses additional GPOs tailored to the common requirements of each OU and applied to the appropriate OUs. A centralized design uses a single GPO containing all policy settings for the associated site, domain, or OU.

• Administrative control of GPOs can be delegated by using a centralized, decentralized, or task-based administrative control design. In the centralized design, administration of Group Policy is delegated only to top-level OU administrators. In the decentralized design, administration of Group Policy is delegated to top-level and to second-level OU administrators. In the task-based design, administration of specific group policies is delegated to administrators that handle the associated specific tasks.