Group Policy Best Practice – Commenting for Future You!
“Who was the idiot that created this GPO!” Those were my thoughts yesterday as I tried to sort out a cumbersome GPO. You might be wondering, why was this GPO so bad?
- The GPO had user and computer settings within it but was linked to an OU containing just users.
- The GPO referenced security groups that didn’t exist.
- The GPO had zero comments/explanations.
Years ago, I configured this GPO and assumed that future me would remember everything from that day. That was dumb…
Instead, I should have left documentation within the GPO itself. Today, we are going to cover the three ways you can document your GPOs to save future you some work!
Commenting on the GPO
Much like the little used Group Policy Search feature, commenting on the GPO is a seldom used tool. To get started, right click on your GPO and select Edit. Select Action and then Properties to access the Comment Tab. You can also right click on the GPO name (above Computer Configuration) and select Properties.
Type out any comments relating to the overall GPO (such as filtering, function, etc). Within the GPMC, you can select the Details tab to see any comments that you’ve written.
Commenting Administrative Templates
Each setting under Administrative Templates can have specific comments linked to it! Our GPO above enables Group Policy Kiosk Mode for a specific user. I am configuring User Configuration/Administrative Templates/System/Custom User Interface to achieve my kiosk mode. If needed, I can specifically document why this setting was configured just by editing the setting.
If you are working within a large GPO, you can filter Administrative Templates to only show settings that have been Commented. This was briefly covered in our earlier “Searching Group Policy” series. You can also reverse to filter to list any remaining settings that might need an explanation.
Commenting Group Policy Preferences
The final place that you can comment is on individual Group Policy Preferences. On the common tab of any preference, simply fill in the Description field. I find that this is a great place to explain any complicated ILTs or other common options (like Run in User’s Security Context)
Your Group Policy Challenge
If I told you to give me $10 and I would give you $60 later, would you do it? Absolutely! What if I told you to give me ten minutes and I will save you an hour of work later?
Take the next ten minutes and do the following:
- Pick your most complicated GPO.
- Edit it and explain exactly what the GPO is doing. You can comment the GPO itself or particular complicated settings.
- If you want bonus Happiness points, leave a comment explaining why your GPO was so complicated and how you documented it.
You just saved future you an hour of troubleshooting in the future! If you are lucky, you might have even prevented a Vacation Interruption!
Good article. Keep it up .Group policy details explained very well
Nice post! Very interesting to see about the comments section.
Another possible solution is AGPM.
http://blogs.msdn.com/b/customer_reviews_of_stb_products/archive/2013/01/31/microsoft-advanced-group-
policy-management-agpm-myths-and-facts.aspx
Thanks Steve! AGPM is amazing – easily my favorite GP tool. Only issue is the cost for small organizations (and lack of PowerShell support).
I thought adding to the descripts took away from the ad db max size? Or is that only in relation to ad dfs?
Hi Mike – I couldn’t fully answer your question so I did some research. I would imagine adding descriptions would increase the database by a small amount. I looked into how big the database can get and the answer was surprising:
http://blogs.technet.com/b/efleis/archive/2006/06/08/434255.aspx