In-Depth
Group Policy DOs and DON’Ts
Group policy can make your life as an administrator blissful or stressful.
Learn from one expert’s experiences what works with group policies, and what doesn’t.
- By Jeremy Moskowitz
- June 01, 2004
I want a time machine. If I had a time machine, I’d go back in time and
tell my younger self about the way the world works, the way computers
work, and also that I’d be writing for
MCP Magazine. (I’d never
believe me, even if I heard it from my future self.)
Making your life with group policy is the same way. If you could know
now what you could only learn from experience, you’d be way ahead of the
game. That’s what this article is about: some specific things you should
and shouldn’t do when working with the Active Directory gift of group
policy.
DO! Download,
Install and Use the GPMC
The number one thing you should do, right now, is download and install
the Group Policy Management Console at www.microsoft.com/grouppolicy.
MCP Magazine has covered the GPMC pretty thoroughly in the March
2004 article, “Group Policy Strategy and Tactics,” and the October 2003
article, “Lighten Up the Group Policy Load.”
It’s the best way to manage your AD Group Policy environment, it’s free,
and it can manage either Windows 2000 Server or Windows Server 2003 AD
or a mixture. The only requirements? Just one Windows XP or Windows 2003
machine in the environment to load the GPMC bits on, and you’re in business.
DO!
Make an Immediate Backup of GPOs
Once the GPMC is loaded, you can do something you’ve likely been meaning
to do for quite some time: Get a very accurate backup of your group policy
environment. It doesn’t matter if you’ve already deployed 100 GPOs or
just have the two default GPOs (Default Domain Controllers and Default
Domain Policy) swimming around in the domain—taking a backup now can save
your bacon if trouble appears. Fire up the GPMC and drill down in Group
Policy Management | {Your Forest} | {Your domain} | Group Policy Objects.
Then simply right-click over that Group Policy Objects node and select
“Back up All…” as seen in Figure 1.
|
Figure 1. Make backing up your GPOs a high priority.
(Click image to view larger version.) |
When you do, you’ll be asked precisely where to store this backup. When
you perform the backup, simply select a secure backup storage location.
The GPMC will do the rest, backing up each and every GPO for safekeeping.
If you need to restore a GPO, select Manage Backups.
DON'T!
Deploy GPOs Without Testing
This is one of the top mistakes admins can make when rolling out GPOs.
While implementing GPOs, there are a bazillion settings you can Enable,
Disable or leave unconfigured. Some policies, such as Internet Explorer
maintenance, Software Restriction Policies and Restricted Groups can be
especially tricky to work with. Without fully testing your GPOs before
deployment, you could be in a world of hurt when a policy setting affects
one, 10 or 10,000 client machines in a way you don’t expect. When implementing
a policy setting, of course, do read the “Explaintext” that explains how
it works. However, that’s not a guarantee that it will, indeed, work in
that capacity. That’s precisely what service packs have adjusted over
the years. Those problems are few and far between, but without testing
first, you don’t know what to expect in production. In order of precedence,
you would ideally first test your GPOs in a separate domain (or test forest).
If you don’t have a full test lab, you could alternatively just set up
an OU and link the GPOs you want to test to that OU. Once tested, you
can be more confident in linking that GPO to a location in production.
DON'T!
Perform Cross-Domain and Cross-Site
GPO Linking
One of the biggest mistakes group policy admins can make is to have users
and computers mistakenly download and process a GPO stored in another
domain. This can happen in multiple ways. The three most common are:
The administrator uses the old-school interface to create a GPO linked
to a site. When he does this, the interface will simply link the GPO to
the root domain.
The administrator uses the GPMC to link to an existing GPO. This GPO is
simply in another domain. The administrator doesn’t think twice about
the consequences.
The administrator uses the GPMC to drag and drop a GPO from one domain
to another. On the surface, this looks like it’s a copy operation—but,
in reality, it’s a cross-domain link.
In all cases, the result is the same. Imagine this scenario: There are two domains—Demo.com and China.demo.com. If there are GPOs that determine the Site policies for New York, they’re contained (by default) within domain controllers in the root domain (in this case, China.) But remember: The users who need that GPO are in the New York site. That means the computers for users in New York need to contact a DC in China to grab the GPOs from across the WAN in order to process them!
To verify what domain a specific GPO is actually stored in, click the
GPO and select the Details tab. The Domain field will verify that the
GPO is actually contained within the domain you want.
DO!
Take
Advantage of the Scripting Interface
I’m not a scripting wizard by any stretch of the imagination. But I do
know a good thing when I see it. And the built-in scripts that ship with
the GPMC are hidden nuggets of treasure waiting to be explored.
When the GPMC is loaded on a computer, these scripts are loaded along
with it. They’re located in C:\Program Files\GPMC\scripts, and I think
you’ll find them quite useful. Indeed, the “FindSOMsWithExternalGPOLinks.WSF”
can help you root out any cross-domain links as described in the previous
DON’T. Figure 2 shows where external links from two GPOs from widgets.corp.com
are being used within the corp.com domain. If the corp.com had 500 GPOs,
it could take hours to track down this information manually. With this
script, it takes seconds.
|
Figure 2. Using a simple script like this one,
an hours-long search is reduced to seconds. (Click image to view
larger version.) |
The good news about the scripting interface is that you can do just about
everything in a script you can do in the GPMC itself—except one thing.
The only thing you can’t do is to manipulate the policy settings inside
a GPO. That’s the breaks for this implementation; but I suspect that will
change and additional ability to script inside the GPO will be available
in the future.
A Final DO!
and DON'T!
In the words of the immortal Douglas Adams: “DON’T
Panic!” Especially if Group Policy seems overwhelming. It’s a
big, big, big world inside the GPMC and an even bigger world inside the
Group Policy Object editor. DO
get some training on Group Policy if you can, from a reputable source.