Darren Mar-Elia and I spent some time this week with a group of consultants and service providers. These folks come from a wide variety of backgrounds and experiences. Our goal was to talk about Group Policy, some best practices, and share some of our experiences of a combined almost 50 years of working with Group Policy and Configuration Management technologies. OK, a bit of an exaggeration (unfortunately not too much), but we have spent a long time working with these scenarios.
Towards the end of our discussion Darren brought up his “9 Group Policy Principles” which are thoughtful tips on how to better work with Group Policy. Honestly these ‘tips’ go beyond simply Group Policy. They are just good practices to think about regardless of the technologies you are working with.
The Principles
- Link GPOs as close to intended targets as possible
- Use filtering (Sec. Groups, WMI, GPP ILT) on an exception basis
- Organize AD to balance AD administration and GP needs
- Limit “fingers in the pie”
- Avoid 1 setting, 1 GPO—group settings by function/type as delegation requires
- Avoid copy/paste GPOs. Saves time but results in lots of redundant settings
- Group Settings for performance; before Windows 8.1, group GPP Drive Mapping, Folder Redirection & Software Installation separate from other policy areas
- Avoid “Always wait for network…” policy if boot-up and logon performance is important
- Always back up your GPOs (always)
You can see that many of these are really about reducing complexity. Complexity is the enemy of scale, I know I have heard that before, but it is true. The more complex your environment is the more difficult troubleshooting will be, the more negative performance impact you will have and the harder it will be to scale as your organizations and internal needs grow.
Low Hanging Fruit
So, I’d love to think I can talk through all of these but let’s be realistic! I’ll start off small and see where we get. This means let’s take these out of order a bit and explore what can be done.
#9 Always backup your GPOs (always)
This one couldn’t be simpler with the Group Policy PowerShell module.
PS C:\> Get-GPO -All | Backup-GPO -Path c:\gpbackups -Comment "That was easy!"
Write that line as a script, schedule it. It really couldn’t be simpler. And from there you can get creative with comments, deleting old backups, keeping your backup dir clean etc. The idea though is simple, backup your GPOs. If you do this on a schedule instead of when performing a task you know it is done. This doesn’t mean you don’t want to backup before you make a change but having this as a part of your regular schedule is a great idea.
#8 Avoid “Always wait for network…” policy if boot-up and logon performance is important
OK, so this one may be a bit controversial. The idea with this setting is that some GP extensions need ‘time’ to process. Also, some settings may not be able to fully represent themselves if other processes are already started. The impact on the user is simply down to performance and ultimately frustration and maybe even some homicidal thoughts about the IT person who ruined their day! (OK, another exaggeration!). This setting plays up the unpredictable nature of GP. Now, this ‘unpredictable’ nature of GP is pure perception as it is very logical, just complex.
I used a function from a previous blog post to nail down the exact registry value used for this setting. Check out the old post as you will find this function helpful over and over again. Find managed registry settings
Getting the actual settings from a GPO, or GPOs can be accomplished with a simple process of looping through GPOs and searching for the specific setting. The secret sauce is Get-GPRegistryValue.
PS C:\> Get-GPRegistryValue -Name <GPONAme> -Key "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName SyncForegroundPolicy
If you can now loop through all GPOs, find those where this setting is configured, find ‘victims‘ ‘recipients’ of this setting you can pipe it right into the ‘Remove-GPRegistryValue’ cmdlet if that is what you would like to do.
This is a bit of an oversimplification but the idea is to get us thinking about these things, how do you find settings, how do you manage those settings from a life-cycle perspective.
Wrap-up
I’ll take on some more of these principles soon. Working with ACLs, GPPreferences, Item Level Targets, WMI Filters, and more. Stay tuned.
-kevin