You’ve learned a lot in this chapter about GP and how it works. Along with the exact mechanisms behind GP’s magic, there is also an art to properly deploying it. You must account for several issues when using GP. In this section, I’ll take a look at some common issues, and I’ll offer suggestions about how best to deploy (in general terms) GPs in your organization.
First, you should keep the Default Domain Policy GPO clear of special exceptions. Remember that this policy is meant only for domain-wide, all-computer settings, and is not meant as a launching point for myriad policies of your own. Don’t apply different settings to this policy and expect to use the inheritance blocking and security group filtering capabilities to limit the scope of a setting located here. It’s a recipe for a troubleshooting nightmare. Instead, create individual GPOs applied to different containers, where your changes, even if blocked by certain properties of the GPOs, aren’t as widespread and sweeping.
Also, try to favor creating several smaller GPOs rather than fewer large GPOs. Although the processing time will suffer, it won’t suffer much; the benefit is that a GPO’s scope is much easier to identify on certain computers when you have smaller GPOs affecting only a few objects.
Construct a naming structure for your GPOs that is clear and descriptive. Hardly anything is worse, especially during GP troubleshooting, than seeing a GPO called “Office” and not knowing whether it ...