This is the most thorough guide to group policy best practices on the web.
In this guide, I’ll share my recommended group policy settings and GPO management tips. These best practices will simplify GPO management, improve security, and GPO performance.
Warning: Group Policy is not a one size fits all. Every Active Directory environment is different and there is no cookie-cutter solution for group policy. It is best to plan and test any changes to group policy before rolling it out to all systems. One small change could lead to major issues and impact critical business services.
List of Group Policy Best Practices
I recommend reading the full list below as some best practices may not make sense unless you read them all.
1. Do Not Modify the Default Domain Policy
This GPO should only be used for account policy settings, password policy, account lockout policy, and Kerberos policy. Any other settings should be put into a separate GPO. The Default Domain Policy is set at the domain level so all users and computers get this policy. The Default Domain Policy is linked to the root of the domain.
When you put multiple GPO settings into the default domain policy it becomes very difficult to troubleshoot and control GPO settings. It can also impact performance if the GPO has too many settings and every user and computer has to process them. It is best to use small GPOs (see tip #12) than to stuff everything into one big GPO.
2. Do Not Modify the Default Domain Controller Policy
This GPO should only contain the User Rights Assignment Policy and Audit Policy. Any other settings to the Domain Controllers should be set in a separate GPO.
The Default Domain Controller policy is linked to the Domain Controller OU.
3. Good Organizational Unit (OU) Design Will Make Your Job 10x Easier
A good OU design makes it easier to apply and troubleshoot group policy. It is best to create an OU for computers and a separate OU for users. Then create sub-OUs on how you want to manage your objects. I typically organize objects by department and functionality.
Example OU design:
Putting users and computers in separate OUs makes it easier to apply computer policies to all the computers and user policies to only the users.
4. Do Not Set GPOs at the Domain Level
The only GPO that should be set at the domain level is the Default Domain Policy. Anything set at the domain level will get applied to all user and computer objects. This could lead to all kinds of settings getting applied to objects that you don’t want. It’s better to apply the policies at a more granular level.
5. Apply GPOs to The Root OU
Applying GPOs at the root of an OU will allow the sub-OUs to inherit these policies. This way you don’t need to link a policy to each individual OU.
If you want to exclude OUs or a group of users you have a few options.
- Use GPO Security Filtering – Best option.
- Use Item-level targeting
- Apply a GPO to the group that disables the policy.
Exclude Users using GPO Security Filtering.
Let’s look at an example. I have GPO that disables saving passwords in the Chrome browser, the GPO is linked to all users.
What if I have users in various departments that I don’t want this policy applied to? The solution is to use GPO security filtering.
I create a security group, add users to the group, and then deny this group from applying the group policy. Now all users will get the GP except the users in the security group.
6. Avoid Using Blocking Policy Inheritance and Policy Enforcement
If you have a good OU structure then you can most likely avoid the use of blocking policy inheritance and using policy enforcement. I find it much easier to manage and troubleshoot group policies knowing neither of these is set in the domain.
7. Don’t Disable GPOs
If a GPO is linked to an OU and you don’t want it to be, delete it instead of disabling it. Deleting the link from an OU will not delete the GPO, it just removes the link from the OU. Disabling the GPO will stop it from being processed entirely on the domain, and this could cause problems.
8. Use Descriptive GPO Names
Being able to quickly identify what a GPO is for based on the name will make group policy administration much easier. Giving the GPOs a generic name like “laptop settings” is too generic and will confuse people. It will also invite other admins to just dump any and all settings into a single GPO. Before are some descriptive GPO names:
- User – Browser Settings
- User – Office 365 Settings
- User – Block PowerShell
- Computer – Screen Lock On
- Computer – install Adobe
Just by looking at the above GPO names, you have a pretty good idea of what they are used for.
9. Speed Up GPO Processing by Disabling Unused Computer and User Configurations
For example, I have a GPO called browser settings, it only has computer settings configured and no user settings so, I have disabled the User configuration for this GPO. This will speed up group policy processing.
To disable the computer or user configuration of a GPO:
- Browse to Group Policy Objects
- Right Click a GPO and select GPO Status
- Select one of the options.
10. Use Loopback Processing for Specific Use Cases
Loopback processing, in a nutshell, takes user settings and limits those settings to a computer the GPO is applied to. It is very useful but can also cause issues if used incorrectly. A common use of loopback processing is on terminal servers and Citrix servers. Users are logging into a server and you need specific user settings applied when they log into only those servers. You would need to create a GPO, enable loopback processing and apply it to the OU that has the servers in it.
11. Group Policy Change Management
Group policy can get way out of control if you let all your administrators make changes as they feel necessary.
Change management can be dreadful and it can really slow projects down.
I’m not saying all group policy changes should go through a formal change management process but they should be discussed with management and documented.
One little GPO change could send a flood of calls to the helpdesk. It happens, so it’s best to discuss and document changes to GPOs.
12. Use Small GPOs to Simplify Administration
It can be easy to fall into the trap of stuffing everything into one GPO.
I’m guilty of this too and it becomes a giant headache to manage.
There really is no reason to do this, many small GPOs do not affect performance. Small GPOs make troubleshooting, managing, designing, and implementing 10x easier.
Here are some ways to split up GPOs into smaller policies:
- Browser Settings
- Security Settings
- Power Settings
- Microsoft Office Settings
- Network Settings
- Drive Mappings
- Power Settings
- Firewall rules
- and so on…..
13. Best Practices for Group Policy Performance
Here are some settings that can cause slow startup and logon times.
- Login scripts downloading large files
- Startup scripts downloading large files
- Mapping home drives that are far away
- Deploying huge printer drivers over group policy preferences
- Overuse of group policy filtering by AD group membership
- Using excessive WMI filters
- Lots and lots of GPOs linked to a user or computer over a slow link.
14. Group Policy Troubleshooting Tips
Know how to use the RSop and gpresult commands to verify and troubleshoot group policy. When troubleshooting you need a way to verify that GPOs are getting applied and check exactly what policies are applied. These two commands are a huge lifesaver. I’ve written a complete how-to article for each command so be sure to check them out.
15. Backup GPOs
If you are not backing up Active Directory or doing system state backup then you need to start backing up your GPOs. You may need to recover a deleted GPO or restore the settings from existing GPOs. See my complete guide on how to backup and restore group policy objects.
To learn more about group policy check out my ultimate guide to group policy management.
I hope you found this article helpful if you have any group policy questions leave a comment below.