You would think this would simple. Edit your GPO, configure your setting, done. But the correct way isn’t quite this easy. I re-discovered this recently during a Windows 8.1 rollout. Some of our users reported that SkyDrive was not syncing. After a few hours of troubleshooting, we found that a certain Group Policy setting caused the issue.
No one could remember why this particular setting was enabled and everyone was nervous about turning it off. This confusion brings me to the first step you’ll take when enabling a Group Policy Setting.
Why are you enabling it?
Group Policy Admins have unlimited power! This can be tempting because every single setting looks like it should be enabled. “Should my users be able to change their desktop? No, they will just mess it up.” Thinking like this leads to many settings being enabled for the heck of it. Thinking like this leads to a more complex (breakable) environment.
When you are deciding to enable a Group Policy setting, have a goal in mind. Aim to fix a specific problem that currently exists. For example, enabling verbose mode fixes the generic “Applying Group Policy” messages. This makes troubleshooting easier.
Group Policy tends to be good a self-documenting. But you can take it further and make your life a bit easier! When editing an Administrative Template, make a point to fill out the Comment field. This is especially important for more obscure settings.
If I was changing the Default Desktop Tools for Adobe Reader, I would definitely need to document why. Future me would certainly not remember. This article covers a few ways that you can document Group Policy changes.
Living in an undocumented environment is like camping in a minefield. Something is going to blow. If your Group Policy environment is undocumented, start by taking a look at any GPO. For any setting that doesn’t make sense, find out why it was set and then document it. You can’t find out why, create a small test GPO that reverses the setting and see what happens. You might not need that setting anymore!
* If you are curious, the GP setting was Prohibit User from Manually Redirecting Profile Folders