1
00:00:03,050 --> 00:00:05,810
Now that we've sort of gone over some of the different approaches.

2
00:00:05,810 --> 00:00:10,910
In terms of designing your ad, I want to talk about some general best practices around group policy

3
00:00:10,910 --> 00:00:11,480
deployment.

4
00:00:12,410 --> 00:00:17,000
So I have a set of rules that I've sort of established over the years that are sort of are tried and

5
00:00:17,000 --> 00:00:19,850
true in terms of how you should approach group policy deployment.

6
00:00:20,750 --> 00:00:25,490
Rule number one is link your GPOs as close to the intended targets as possible.

7
00:00:26,390 --> 00:00:30,950
So this is this notion that we don't really want to have to do security group filtering if we can link

8
00:00:30,950 --> 00:00:34,820
GPOs really close to their targets, whether they be computers or users.

9
00:00:35,690 --> 00:00:41,000
So instead of linking at the domain level, all of your GPOs and putting a bunch of security group filters

10
00:00:41,000 --> 00:00:46,910
on them to control which computers and users process them, we want to link down in those values that

11
00:00:46,910 --> 00:00:48,830
we talked about in the previous example.

12
00:00:49,730 --> 00:00:54,710
So what the you for example, if we have a user policy that applies to sales users, we want to link

13
00:00:54,710 --> 00:00:58,310
it at the sales user view in order to get the closest possible targeting.

14
00:00:59,120 --> 00:01:04,850
And sort of the corollary to that is using filtering, security group filtering, WMI filtering or group

15
00:01:04,850 --> 00:01:08,810
policy preferences item level target should be done on an exception basis.

16
00:01:09,710 --> 00:01:14,930
Again, organizing aid to balance administration and group policy needs is a key piece here, and I

17
00:01:14,930 --> 00:01:19,490
talked a lot about that in the last section, limiting the fingers in the pie.

18
00:01:20,330 --> 00:01:21,560
What do I mean by this?

19
00:01:22,460 --> 00:01:27,710
What I mean is keep the fewest possible number of administrators managing group policy as possible.

20
00:01:28,600 --> 00:01:33,160
This prevents people from stepping on each other from not following standards and from just generally

21
00:01:33,160 --> 00:01:35,530
making changes that other people don't know about.

22
00:01:36,430 --> 00:01:43,480
So having control over who's editing group policy, remember our discussion about group policy delegation?

23
00:01:44,320 --> 00:01:49,480
It's very easy to control who can do what within group policy using the delegation model, and I highly

24
00:01:49,480 --> 00:01:50,230
recommend that.

25
00:01:51,160 --> 00:01:53,680
So avoid that one setting, one GPO.

26
00:01:54,520 --> 00:01:58,990
So this is a common thing that folks will get into where they need a setting, and they decided to create

27
00:01:58,990 --> 00:02:00,520
a new GPO for that setting.

28
00:02:01,330 --> 00:02:03,940
And it's fine if you're doing it a couple of times.

29
00:02:04,810 --> 00:02:10,000
But if it becomes a practice where you have 100 GPOs each with one setting in them, then you probably

30
00:02:10,000 --> 00:02:11,080
need to rethink that.

31
00:02:11,950 --> 00:02:16,450
And I like to group settings by function or type, and especially as delegation requires.

32
00:02:17,350 --> 00:02:23,320
So for example, I might put all of my security settings in a standalone GPO so that they can be delegated

33
00:02:23,320 --> 00:02:25,900
to the security administrator in my organization.

34
00:02:26,770 --> 00:02:30,550
Avoid the copy and paste phenomenon that I talked about in an earlier module.

35
00:02:30,610 --> 00:02:33,340
So you need some settings that you have in another GPO.

36
00:02:34,150 --> 00:02:38,320
Well, the handiest thing to do is to just copy and paste that existing GPO.

37
00:02:39,160 --> 00:02:43,750
Problem is that oftentimes people won't go in and clean up the settings that they don't need from that

38
00:02:43,750 --> 00:02:47,440
source GPO And so then you've got lots of redundant settings running around.

39
00:02:48,340 --> 00:02:49,900
So I try to avoid.

40
00:02:50,750 --> 00:02:55,280
If you're going to do copy and paste, make sure you're going to go in and clean up the settings that

41
00:02:55,280 --> 00:03:02,300
you don't need out of that new GPO Group Policy Settings performance before Windows 8.1.

42
00:03:02,330 --> 00:03:08,210
These three policy areas Group Policy Drive Mapping GP preferences drive mapping folder redirection

43
00:03:08,210 --> 00:03:13,850
in software installation require a synchronized foreground refresh and they should be separate from

44
00:03:13,850 --> 00:03:15,770
other policy areas in GPOs.

45
00:03:16,700 --> 00:03:21,530
So keep these separate from let's say admin templates or security and you'll improve your performance.

46
00:03:22,420 --> 00:03:25,060
And I'll talk a little bit more about this in a second.

47
00:03:25,930 --> 00:03:26,620
Avoid that.

48
00:03:26,650 --> 00:03:30,460
Always wait for the network at computer startup and user log on policy.

49
00:03:30,490 --> 00:03:34,960
But I had mentioned earlier that sets every policy processing foreground cycle to synchronous.

50
00:03:35,830 --> 00:03:39,040
If you don't really need this, then don't set it universally.

51
00:03:39,940 --> 00:03:44,650
I know a lot of shops that set this universally and they're automatically inflicting their users with

52
00:03:44,650 --> 00:03:50,620
a penalty and boot up and start in log on time and then finally always back up your GPOs.

53
00:03:51,490 --> 00:03:54,670
We talked about GPO backups and how easy they were to do.

54
00:03:55,510 --> 00:03:57,590
Always, always, always do this.

55
00:03:58,480 --> 00:04:02,890
A lot of people don't get into the habit of this and get bitten by it when they make changes or have

56
00:04:02,890 --> 00:04:04,450
to roll back GPO changes.

57
00:04:05,360 --> 00:04:10,220
I want to talk now about kind of the design approach with the actual GPIO and how you group settings

58
00:04:10,220 --> 00:04:11,090
in GPOs.

59
00:04:11,990 --> 00:04:17,840
A bunch of years ago, I came up with this these definitions monolithic and functional GPOs, and I've

60
00:04:17,840 --> 00:04:23,060
been using them ever since as a way of classifying the two different types of GPOs or monolithic or

61
00:04:23,070 --> 00:04:28,430
GPOs that create that contain settings from a lot of different policy areas in a single GPO.

62
00:04:28,490 --> 00:04:34,400
So you group software, installation settings, admin template, whatever in a single GPO, and that's

63
00:04:34,400 --> 00:04:39,290
contrasted with functional GPOs, which are really where you have one or more settings from a single

64
00:04:39,290 --> 00:04:40,160
policy area.

65
00:04:40,220 --> 00:04:47,300
The example I just gave was security policy, all security policy in its own GPO and just security policy

66
00:04:47,300 --> 00:04:51,320
in that GPO, and that would be an example of a functional GPO.

67
00:04:51,350 --> 00:04:53,000
So which do you deploy?

68
00:04:53,030 --> 00:04:58,220
Well, most environments are going to have a combination of both, which is perfectly reasonable.

69
00:04:58,250 --> 00:05:03,620
It ends up being driven by factors like the delegation needs, the complexity, you know, certainly

70
00:05:03,620 --> 00:05:04,160
monolithic.

71
00:05:04,160 --> 00:05:09,170
GPOs tend to be more complex because you've got a lot more stuff going on in them, but they're great

72
00:05:09,170 --> 00:05:15,110
for delegating to or you administrator, you make one GPO with all the settings that that all you administrator

73
00:05:15,110 --> 00:05:18,260
needs and say you have rights over this GPO and no others.

74
00:05:18,290 --> 00:05:20,780
Also, security mandates might drive this.

75
00:05:20,780 --> 00:05:24,380
Do I need to delegate my security settings to the InfoSec team?

76
00:05:24,380 --> 00:05:28,460
If so, then I might want to just have a separate GPO for just those settings.

77
00:05:28,460 --> 00:05:32,330
And then, you know, each type is going to make sense in a certain situation.

78
00:05:32,330 --> 00:05:37,250
There are some considerations around processing performance that might lead you to one versus the other.

79
00:05:37,250 --> 00:05:41,780
And I, I give you the hint that it's the functional type that tends to perform better because of the

80
00:05:41,780 --> 00:05:46,880
reason I mentioned in my previous list where if you have synchronous policy settings like folder redirection,

81
00:05:46,880 --> 00:05:52,070
software installation or GP preferences, drive mappings in with let's say admin templates and a single

82
00:05:52,070 --> 00:05:52,730
GPO.

83
00:05:52,730 --> 00:05:57,800
Whenever you make a change to any of those areas, it will automatically trigger a synchronous foreground

84
00:05:57,800 --> 00:05:58,370
refresh.

85
00:05:58,490 --> 00:06:02,870
So having those synchronous areas in separate GPOs can be better for performance.

86
00:06:02,990 --> 00:06:08,240
So a little bit more about functional GPOs really used to isolate the single setting or the group of

87
00:06:08,240 --> 00:06:14,150
settings and you know, for example, account policy, perfect example of a functional GPO.

88
00:06:14,180 --> 00:06:19,430
A lot of people use the default, the main policy just to do password policy for the domain and that's

89
00:06:19,430 --> 00:06:20,300
a good approach.

90
00:06:20,300 --> 00:06:22,040
But you can go overboard here.

91
00:06:22,070 --> 00:06:26,990
There are some considerations around processing performance that might lead you to one versus the other.

92
00:06:26,990 --> 00:06:31,520
And I, I give you the hint that it's the functional type that tends to perform better because of the

93
00:06:31,520 --> 00:06:36,620
reason I mentioned in my previous list where if you have synchronous policy settings like folder redirection,

94
00:06:36,620 --> 00:06:41,810
software installation or GP preferences, drive mappings in with let's say admin templates and a single

95
00:06:41,810 --> 00:06:42,440
GPO.

96
00:06:42,560 --> 00:06:47,630
Whenever you make a change to any of those areas, it will automatically trigger a synchronous foreground

97
00:06:47,630 --> 00:06:48,200
refresh.

98
00:06:48,290 --> 00:06:52,700
So having those synchronous areas in separate GPOs can be better for performance.

99
00:06:52,790 --> 00:06:58,040
So a little bit more about functional GPOs really used to isolate the single setting or the group of

100
00:06:58,040 --> 00:07:03,950
settings and you know, for example, account policy, perfect example of a functional GPO.

101
00:07:03,980 --> 00:07:09,230
A lot of people use the default, the main policy just to do password policy for the domain and that's

102
00:07:09,230 --> 00:07:10,130
a good approach.

103
00:07:10,130 --> 00:07:11,870
But you can go overboard here.

104
00:07:11,900 --> 00:07:15,740
Again, you don't want hundreds of GPOs with a single setting in them.

105
00:07:15,740 --> 00:07:18,770
Think about grouping settings based on function or type.

106
00:07:18,770 --> 00:07:23,540
If you're going to use the functional approach, have, let's say, all admin template settings for

107
00:07:23,540 --> 00:07:30,090
the marketing folks in a single GPO monolithic GPOs ideal for delegating to administrators, you know,

108
00:07:30,090 --> 00:07:35,210
or you administrators because you can create, like I said, a single GPO with all the settings they

109
00:07:35,210 --> 00:07:38,660
need, delegate edit rights to that GPO and they're done.

110
00:07:38,660 --> 00:07:43,610
And it has a tendency for those scenarios to keep those settings in a single, manageable delegated

111
00:07:43,610 --> 00:07:45,080
place and it for them.

112
00:07:45,080 --> 00:07:49,460
For those of you administrators, it kind of eases troubleshooting because it gives them the ability

113
00:07:49,460 --> 00:07:52,370
to look in one place to find and fix potential problems.

114
00:07:52,370 --> 00:07:53,390
And that's a good thing.