1 00:00:03,050 --> 00:00:03,490 Okay. 2 00:00:03,500 --> 00:00:08,840 Just to underscore what I just talked about with respect to functional and monolithic GPOs, let's kind 3 00:00:08,840 --> 00:00:11,690 of look at two GPOs that I've created to illustrate each. 4 00:00:12,590 --> 00:00:19,400 So I've created a functional GPO called functional GPO, and you can see that it only contains per computer 5 00:00:19,400 --> 00:00:20,690 security settings in it. 6 00:00:21,590 --> 00:00:28,490 So this is an example of a GPO that can be easily delegated to a security group using delegation I can 7 00:00:28,490 --> 00:00:32,660 control who can edit this GPO and it only contains a single policy area. 8 00:00:33,530 --> 00:00:38,870 Now, by contrast, I've created this GPO called Monolithic GPO, and if you'll recall, from my definition, 9 00:00:38,870 --> 00:00:44,420 monolithic GPOs mean GPOs that contain settings from lots of different areas in a single GPO. 10 00:00:45,230 --> 00:00:47,990 So for example, I've got a log on script to find. 11 00:00:48,020 --> 00:00:50,300 These are all per user settings in this case. 12 00:00:51,190 --> 00:00:53,440 I've got some admin template settings to find. 13 00:00:53,470 --> 00:00:59,200 I've got a GP preferences drive map to find and a registry set setting to find under GP preferences. 14 00:01:00,100 --> 00:01:05,440 So a bunch of different in this case, four different policy areas are defined in this GPO, all for 15 00:01:05,440 --> 00:01:05,920 the user. 16 00:01:06,790 --> 00:01:09,150 And again, I could very easily use this too. 17 00:01:09,160 --> 00:01:14,170 For example, if I wanted to delegate administration of a single GPIO to the sales admins. 18 00:01:15,050 --> 00:01:19,310 I could link this GPO to the sales o you under the monolithic GPO here. 19 00:01:20,180 --> 00:01:25,520 Just link it to the sales OYU and give delegation rights to the sales admins group to be the only group 20 00:01:25,520 --> 00:01:30,260 that can edit this GPO and give them added rights, but don't give them the ability to change the permissions 21 00:01:30,260 --> 00:01:36,170 on the GPO and so sales admins could then come in and edit this GPO to their heart's content. 22 00:01:36,290 --> 00:01:41,420 They wouldn't be able to create any new GPOs at the sales OYU or link any new GPOs at the sales. 23 00:01:41,420 --> 00:01:42,080 Oh you level. 24 00:01:42,940 --> 00:01:47,500 But they would be able to edit the single monolithic GPO where all of their settings reside. 25 00:01:47,560 --> 00:01:52,060 And so that's the whole purpose or the value of monolithic versus the functional GPO. 26 00:01:52,870 --> 00:01:57,730 Now remember I mentioned that from a performance perspective, you probably don't want to group one 27 00:01:57,730 --> 00:02:03,130 of those synchronous policy areas like GP preferences, drive mappings in with other policy areas. 28 00:02:04,010 --> 00:02:07,670 In this case, W.H. wa was exactly what I've done. 29 00:02:08,480 --> 00:02:13,700 It wouldn't be an issue on Windows 8.1 because drive mappings has been changed to run asynchronously 30 00:02:13,700 --> 00:02:15,020 in Windows 8.1. 31 00:02:15,880 --> 00:02:22,030 But in Windows seven, if if clients were processing this GPO, what you'd end up have happening is 32 00:02:22,030 --> 00:02:27,550 every time you made a change to any setting area within this GPO, whether it be scripts, administrative 33 00:02:27,550 --> 00:02:32,620 templates or registry, you would end up having the drive mapping extension trigger a synchronous foreground 34 00:02:32,620 --> 00:02:38,230 refresh for the next log on so the user would end up waiting for that synchronous foreground refresh 35 00:02:38,230 --> 00:02:42,640 and next log on just because this drive map setting is grouped in with all these other settings. 36 00:02:43,540 --> 00:02:46,030 So again, it's a good idea to avoid doing that. 37 00:02:46,030 --> 00:02:51,370 If you're in a Windows Seven world and you're trying to keep performance at a maximum and trying to 38 00:02:51,370 --> 00:02:55,720 minimize the impact of group policy processing on user experience and log on.