Home

General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues

Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts

Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters

Reference
.. Third Party Products
.. KB Articles
.. Community

Terms of Use
Trademarks
Privacy Statement

Creating and Editing GPOs

Creation and editing of GPOs is divided across two tools (which are complementary):

 

  • Group Policy Management Console (GPMC). This tool supports operations associated with GPOs such as creating, linking, copying, backing up, etc. It does NOT provide direct functionality related to the contents of GPOs. GPMC has a multi-GPO perspective.
  • Group Policy Object Editor (GPEdit). This tool has a single-GPO perspective and provides features associated with editing the CONTENTS of the selected GPO.

Here are some best practices:

 

  • Refrain from "special" Group Policy operations when possible, including Block Inheritance, Enforce, and Loopback. While these properties don't really add more time to logon, they definitely add time to when troubleshooting.
  • If you are not setting any values in either the Computer Configuration or the User Configuration, then disable that section.  It will prevent unnecessary delays in boot time or login time due to processing empty GPO sections.
  • Once you begin deploying Group Policy, don't go "overboard" in your deployment. Group Policy affects many users at once (perhaps ALL!). So be careful, and test your changes in the lab before leveraging those changes in production.  Also, consider security filtering the new GPO to a pilot set of users (or computers).
  • Don't directly edit the Default Domain Controllers Policy, or the Default Domain Policy. Instead, make copies of these and edit your copies. If everything goes wrong or you lose all track of your changes, you can alway revert to these saved, default settings as a fallback position.

Comments:

From jah457 - 7/10/06 7:08 AM

I have a AD 2003 Root Domain (DomainA) with many users. I also have several Child Domains, let's call one of them DomainB. All Child Domains are connected with SatComm WAN links, sometimes with <64Kbps effective throughput. I occasionally have users from DomainA that travel to DomainB and expect to login using a DomainB computer to get their corporate email from their DomainA Exchange 2003 Server. My challenge is to stop DomainA login scripts, drive mappings, and everything else that would make the login extremely slow. My thoughts were to try either GP Slow Link detection, or to use GP Loopback and require them to use a particular computer when logging in at DomainB. Any suggestions would be greatly appreciated. Cheers, JAH457

Last Modified 5/28/07 4:41 PM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register