Group Policy can be very overwhelming! Very few tools come equipped right out of the box with so much potential (and potential to blow things up). Before you dive too deep into Group Policy, you need to do these three things.
Step 1: Be Completely Familiar with Processing
Do you know LSDOU? What happens if I enforce a policy and block inheritance at the same time? What two permissions are needed to apply a GPO? If you aren’t sure (or just want a refresher), be sure to read over this guide. While some of these scenarios may be rare, knowing the ins and outs of processing will keep you from banging your head in the wall.
Step2: Set Up a Central Store
Without a central store, any extra ADMX files you add to your GPMC are not available at any other management station. So if you add the files for Office, your coworkers do not get that extra control. They would need to manually add in the ADMX files as well. A central store ensures that you and everybody using GPMC will always have the same ADMX file . If you copy over new ADMX files (for example, for Office 2013), every administrator using Group Policy Management Console (GPMC) will also get the updated ADMX files instantly. Using the central store is also the easiest way to ensure that everybody has these tools they need. You can learn how to create a central store here.
Step 3: Standardize Naming Now
Every object (OU, Computer, User, GPO) should have a standard naming convention established. Trying to standardize after you’ve created 200 GPOs is a lot harder than standardizing at first. Not sure where to start? Here are a few items to consider and conventions that I have seen in different organizations. Your naming convention doesn’t have to meet all of these standards. As examples, I included some sample GPOs below.
- Distinguish between Computer and User Policies. User: Set Default HomePage
- Distinguish between Client Side Extensions (CSEs). A GPO deploying software might be named APP_Adobe Flash and a GPO setting security settings might be named SEC_Local Admins
- Distinguish between link location. Brunswick: Security Policy; Sterling: Desktop Policy
As a personal request, don’t name your group policy objects things like “User: Set Default HomePage Group Policy Object“. You wouldn’t create a user and name him “Joseph Moody User”.
This is just ridiculous…
Step 4: Use the Latest GPMC
Building off of Step 2, you should be using the latest GPMC available. Currently, this means using a Windows 8 or Windows Server 2012 machine for your management console. Using the latest GPMC gives you access to the latest improvements and tools! For example, Windows 8 gives you the ability to manage IE 10, new settings, updated preferences, etc. You also get to check the replication station (within GPMC).
And you get access to the improved Group Policy Results wizard!
If you are unable to run the latest Microsoft OS, you should at least be on the highest OS that your organization supports. In other words, don’t support Windows 7 machines if you are still on XP.