[itdiscuss] Group policy statement

[Steve Huffman]

Thanks to all, we're a smaller shop (about 50 users) so I think I will go with creating the OU's and using that.

Steve
 
Steve Huffman
Network Administrator
Blackhawk Church
shuffman at blackhawkchurch.org
www.BlackhawkChurch.org 
608.828.4200
 
-----Original Message-----
From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Derek Schwab
Sent: Thursday, November 19, 2009 11:17 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Group policy statement

It depends on the specific scenario, but actually processing multiple smaller GPO's in nested OU's vs one big one with filtering is almost always faster. Especially if things change on a regular basis. Here's the deal - the time a GPO was update is compared to the time it was last applied, and if the GPO has not changed, it doesn't get applied. So, basically, if the GPO's never change, they are applied the first time the machine starts and then never looked at again. 

That means if you have tons of settings in one big GPO, anytime it changes, the entire thing gets reapplied to every computer. That takes significantly (usually several times long) than, for example, a printer changing in a GPO that only does printers.

So, basically, but breaking things up into several smaller GPO's and applying based on a hierarchy, it will take a bit longer the first time the machine starts up or the first time a particular user logs into a machine, but after that, there's basically zero processing time until a GPO change, and at that point, only that one GPO is reapplied.

Microsoft has a good article on Group Policy design and performance at http://207.46.16.252/en-us/magazine/2008.01.gpperf.aspx


Also, for some real world results - we're in the process of migrating to Group Policy from Desktop Authority at Seacoast. My current design has about 100 GPO's total, which 3-5 layers of nested OU's for both users and computers. So, depending on the computer and the user who logs in, there will be as many as 10-12 GPO's applied total. We're seeing login/processing times of around 10 seconds vs upwards of a minute (more than at remote campuses) on many machines with Desktop Authority.





-----Original Message-----
From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Kevin Brunson
Sent: Thursday, November 19, 2009 2:14 PM
To: 'IT Discussion Forum'
Subject: Re: [itdiscuss] Group policy statement

Actually using this method could cause performance hits as well.  For each policy that a computer has to process there is a performance hit.  If it is having to process policies for the domain plus every OU down the chain it can slow things down pretty quickly.  I agree with your statement that WMI queries can cause a pretty significant performance degradation.  However security filtering is just about the fastest way a computer can evaluate policies for processing.  If the computer or user has the group in its token it processes the policy, otherwise it doesn't.  Any policy that a computer doesn't have to process is a policy that won't slow it down.  

-----Original Message-----
From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Derek Schwab
Sent: Thursday, November 19, 2009 12:35 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Group policy statement

You generally only want to apply any filtering (or item level targeting fo GP Preferences) to a very small OU.

ie: have a nested OU structure like this:

Desktops >> Central Offices >> Building 1 >> Accounting

There would be a GPO with no filtering attached to each level for applying things specific to all machines down to the specific group of machines. Any filtering/targetting would only happen at the last level - Accounting in my example - since filtering is more resource intensive and sometimes needs LDAP or WMI queries.

The design and hierarchy is very important from a performance perspective, especially in a larger network. There are often 5 ways to do the same thing in group policy, but each varies vastly in performance.

-Derek Schwab


On Nov 19, 2009, at 1:06 PM, "Bobby Stewart" <bStewart at brentwoodbaptist.com<mailto:bStewart at brentwoodbaptist.com>> wrote:

Yes, you can but my experience with this is that it’s tedious and sometimes unpredictable (or at least not as easy to manage the results). We use the OU method with servers in their own OU separate from all other systems. We’ve done the same for systems that are portable (notebooks, tablets, etc.) vs. desktops, Windows XP vs. Vista vs. Win7 (at one time an issue for our antivirus automated deployment) as well as separating users in OUs for different policy applications. It’s a great tool!

Bobby Stewart
Network Analyst
Brentwood Baptist Church
Brentwood, TN
WWW.BrentwoodBaptist.com<http://WWW.BrentwoodBaptist.com>
(615) 324-6149 office
(615) 830-0012 cell

From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Michael Sainz
Sent: Thursday, November 19, 2009 11:50 AM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Group policy statement

You can scope your GPO’s appropriately using Security Filtering.

michael|sainz
information technology coordinator | sunset presbyterian church<http://www.sunsetpres.org/>
<mailto:michaelsainz at sunsetpres.org>michaelsainz at sunsetpres.org<mailto:michaelsainz at sunsetpres.org> | twitter.com/michaelsainz<http://twitter.com/michaelsainz> | Blog<http://www.iamdigerati.com/>

"We listen to worship music, while the rest of the world listens to hip hop and pop. We talk about history, while the rest of the world talks about reality. We use bulletins, while the rest of the world is on Facebook." -Tony Morgan

From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com<mailto:blloyd at buskercom.com>
Sent: Thursday, November 19, 2009 8:14 AM
To: discuss at itdiscuss.org
Subject: Re: [itdiscuss] Group policy statement

Yep.  Just setup the policy for the OU(s) that your workstations are in and make sure there aren’t any servers in the same OU(s).  Keep in mind that you can link GPOs to more than one OU.



Bill Lloyd
IT Manager
<image001.jpg>

2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604 Ext.: 250
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com<mailto:blloyd at buskercom.com>
This email and any accompanying attachments may contain confidential and proprietary information. If you are not the intended recipient, you are requested to delete this entire communication immediately. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any problems that may result from emails you receive.
From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Steve Huffman
Sent: Thursday, November 19, 2009 10:43 AM
To: IT Discussion Forum
Subject: [itdiscuss] Group policy statement

Is there a way to force autoupdates on your workstations but exempt your servers in group policy? I don’t want my servers to reboot on their own ☺

Steve

Steve Huffman
Network Administrator
Blackhawk Church
shuffman at blackhawkchurch.org<mailto:shuffman at blackhawkchurch.org>
www.BlackhawkChurch.org<http://www.BlackhawkChurch.org>
608.828.4200

<ATT00001..txt>
_______________________________________________
it discuss mailing list: discuss at itdiscuss.org
Mailing List: http://itdiscuss.org/discuss
Internet Relay Chat: irc://irc.freenode.net/citrt
_______________________________________________
it discuss mailing list: discuss at itdiscuss.org
Mailing List: http://itdiscuss.org/discuss
Internet Relay Chat: irc://irc.freenode.net/citrt
_______________________________________________
it discuss mailing list: discuss at itdiscuss.org
Mailing List: http://itdiscuss.org/discuss
Internet Relay Chat: irc://irc.freenode.net/citrt