Group Policy Best Practices

This is the most thorough guide to group policy best practices on the web.

I understand:

Group policy can get complicated, it can be complex and it can be difficult to troubleshoot when you have multiple GPOs applied across the entire domain.

But here’s the kicker:

Implementing group policy is actually very simple.

In this guide, you’ll learn everything you need to know about group policy design and implementation best practices. These are proven tips and techniques that myself and many other IT professionals use.

Warning: Group Policy is not a one size fits all. Every Active Directory environment is different and there is no cookie cutter solution for group policy. These best practices have worked well for environments I have managed, but may not work for yours. It is best to plan and test any changes to group policy. One small change could lead to major issues and impact critical business services.

I do recommend reading them all as some may not make sense without further reading.

Download PDF Version Of This Guide (Includes Two Bonus Tips)

1. Do Not Modify the Default Domain Policy

This GPO should only be used for account policies settings, password policy, account lockout policy and Kerberos policy. Any other settings should be put into a separate GPO. The Default Domain Policy is set at the domain level so all users and computers get this policy.

2. Do Not Modify the Default Domain Controller Policy

This GPO should only contain User Rights Assignment Policy and Audit Policy. Any other settings to the Domain Controllers should be set in a separate GPO.

3. Good OU Structure Will Make Your Job 10x Easier

Good OU structure makes it easier to apply and troubleshoot group policy. I prefer to separate the users and computers into their own OU, then create sub OUs for each department or business function.

Example OU structure.

Putting users and computer in separate OUs makes it easier to apply computer policies to all the computer and user policies to only the users.

Related: 21 Effective Active Directory Management Tips

4. Do not set GPOs at the domain level

The only GPO that should be set at the domain level is the Default Domain Policy. Anything set at the domain level will get applied to all user and computer objects. This could lead to all kinds of settings getting applied to objects that you don’t want. It’s better to apply the policies at a more granular level.

5. Apply GPOs at an OU root level.

Applying GPOs at an OU level will allow sub OUs to inherit these policies. This way you don’t need to link a policy to each individual OU. If you have users or computers that you don’t want to inherit a setting, then you can put them in their own OU and apply a policy directly to that OU. Below is an example.

The Windows 10 Settings contains a policy that turns on the screen saver after 30 minutes. This policy is applied at the Winadpro computers OU, so sub OUs will inherit this policy. I have a training lab that I don’t want this policy applied to so, I created and linked a GPO directory to the Training Lab OU that disables the screen saver. This directly linked GPO will take precedence and get applied over the inherited policies.

6. Avoid Using Blocking Policy Inheritance and Policy Enforcement

If you have good OU structure then you can most likely avoid the use of blocking policy inheritance and using policy enforcement.  I find it much easier to manage and troubleshoot group policies knowing neither of these are set in the domain.

7. Don’t Disable GPOs

If a GPO is linked to an OU and you don’t want it to be, delete it instead of disabling it. Deleting the link from an OU will not delete the GPO, it just removes the link from the OU. Disabling the GPO will stop it from being processed entirely on the domain, this could cause problems.

8. Use Descriptive GPO Names

Being able to quickly identify what a GPO does based off the name will make group policy administration much easier. Giving the GPOs a generic name like laptop settings is to generic and will confuse people. Some good examples are Browser Settings, Power Settings, MS Office Policies, Screen Saver off and Citrix Receiver. These are all descriptive and one look at the name gives you a good idea what that policy does.

9. Speed up GPO processing by disabling unused computer and user configurations

For example, I have a GPO called browser settings, it only has computer settings configured and no user settings so, I have disabled the User configuration for this GPO. This will speed up group policy processing.

Related: How to use RSoP to check and troubleshoot group policy settings

10. Use Loopback processing for specific use cases

Loopback processing, in a nutshell, takes user settings and limits those settings to a computer the GPO is applied to. It is very useful but can also cause issues if used incorrectly. A common use of loopback processing is on terminal servers and Citrix servers. Users are logging into a server and you need specific user settings applied when they log into only those servers. You would need to create a GPO, enable loopback processing and apply it to the OU that has the servers in it.

11. Implement change management for group policy

Group policy can get way out of control if you let all your administrators make changes as they feel necessary.

Change management can be dreadful and it can really slow projects down.

I’m not saying all group policy changes should go through a formal change management process but it should be discussed with management and documented.

One little GPO change could send a flood of calls to the helpdesk. It happens, so its best to discuss and document changes to GPOs.

12. Use small GPOs to simplify administration

It can be easy to fall into the trap of stuffing everything into one GPO.

I’m guilty of this too,

and it becomes a giant headache to manage.

There really is no reason to do this, many small GPOs does not affect performance. Small GPOs makes troubleshooting, managing, design, and implementation 10x easier.

Here are some ways to break out GPOs into smaller policies:

  • Browser Settings
  • Security Settings
  • Power Settings
  • Microsoft Office Settings
  • Network Settings
  • Drive Mappings

13. Best practices for Group Policy Performance

Here are some settings that can cause slow startup and logon times.

  • Login scripts downloading large files
  • Startup scripts downloading large files
  • Mapping home drives that are far away
  • Deploying huge printer drivers over group policy preferences
  • Overuse of group policy filtering by AD group membership
  • Using excessive WMI filters
  • Lots and lots of GPOs linked to a user or computer over a slow link.

For more group policy performance tips check out this great video by Jeremy Moskowitz  Group Policy: Notes from the Field.

I hope you found this article helpful if you have any group policy questions leave a comment below.

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

37 Comments

  1. sofian on September 27, 2017 at 12:27 am

    Awesome guide! Thanks Mug!

    • mug on September 27, 2017 at 12:38 am

      Thanks sofian!

  2. Alex Jimenez on October 31, 2017 at 6:17 pm

    Super Excellent!!!!
    Thank youuuuuu!!

    • mug on November 1, 2017 at 10:51 am

      You’re welcome, Alex.

  3. Thomas on February 27, 2018 at 9:54 am

    Looks great. Thanks for this!

    • Robert Allen on February 27, 2018 at 11:52 am

      Thanks Thomas

  4. Sujeeth on March 21, 2018 at 12:55 am

    This is Brilliant !

    • Robert Allen on March 21, 2018 at 10:51 am

      Thanks Sujeeth

  5. Juan P. Salgado on June 29, 2018 at 3:03 pm

    i’ve improved a lot my AD administration reading this article!

    Thank you Robert!

    Greetings from México!

    • Robert Allen on June 30, 2018 at 8:36 pm

      Juan,

      Greetings! Each year I seem to pick up a few good tips, I’m happy to share them.

  6. Senthil R (IBM India) on July 22, 2018 at 9:14 pm

    really awesome

    • Robert Allen on August 12, 2018 at 12:12 am

      Thanks Senthil. I hope you was able to put some of these tips to use.

  7. Abhilash on August 22, 2018 at 5:31 am

    Could you elaborate a little more on why we need multiple gpos linked to an ou? Or are all the reasons there are?

    • Robert Allen on August 22, 2018 at 12:45 pm

      Abhilash,

      I suggest grouping similar policies into their own GPO as opposed to stuffing them into one big GPO. This will make troubleshooting, managing and applying policies much easier. I’ll give an example of turning the screensaver timeout on all the computers. If I put this policy into say the default domain policy it would get applied to all computers. Now if someone requests this policy be turned off on some specific computers there is no easy way to do that. If the screensaver policy was it’s own GPO then it becomes easy to filter it out for specific users and computers. It also makes it easier to report and see what policies you have when they are broken out. Does that make sense?

  8. rajiv patel on August 30, 2018 at 6:55 am

    great tips, i am installing AD, DHCP and DNS for a new organisation and this will definitely help in my planning and configuration. please also share tips on DNS and DHCP if possible.

    • Robert Allen on August 31, 2018 at 11:18 am

      Hi Rajiv,

      I’ll be working on a best practice guide for DHCP and DNS soon. Stay tuned.

  9. sintayehu on November 14, 2018 at 11:06 am

    very supporting

  10. Maani on January 13, 2019 at 1:30 pm

    Nice tips, doing some already, but got some new also

    • Robert Allen on January 18, 2019 at 12:38 am

      Thanks Maani

  11. Hosam alzahrani on February 12, 2019 at 11:42 am

    Thanks A lot for this post

  12. Patrick on February 22, 2019 at 10:33 pm

    Hi Robert,

    I happen to come across your site searching for gpresults and bookmarked it.

    Quickly browsing through the various posts you’ve made, I like the summarized points!

    Complete newbie. I’m looking into tackling group policy and also like the rsop testing article.

    My question is whether to disable or delete the group policy – in some reading I came across a while back, it mentioned to disable a group policy as a precaution (for a period of time). Just in case, something does go wrong.

    Thank you for sharing your knowledge

    Patrick

    • Robert Allen on February 23, 2019 at 2:02 pm

      Not sure I understand your question.

      I would not recommend disabling or deleting the default GPOs or services on domain controllers.

  13. Brian on March 15, 2019 at 2:08 pm

    Thank you this is awesome really!

    • Robert Allen on March 15, 2019 at 6:31 pm

      Thanks Brian

  14. KEVIN on April 10, 2019 at 8:10 am

    Are GPO better or worse when trying to create and AD structure? Please Explain

    • Robert Allen on May 2, 2019 at 11:45 pm

      Good OU structure is important to implementing GPOs. It helps with properly targeting the right users and computers, troubleshooting and to ensure the policy gets applied. For examples, if you want to prevent certain users from creating a pst file in outlook the GPO needs to be applied to an OU with those users. If you apply the GPO to an incorrect OU it will either not get applied or get applied to the wrong group of users.

  15. Ruben Sanchez on May 3, 2019 at 11:09 pm

    Great document, thank you

  16. George Guck on May 9, 2019 at 11:48 am

    Robert, I deal with GPO management on a daily basis, in a very large environment. I agree with everything you’ve said. Here are a few things that have helped me tremendously, If you don’t want a GPO to apply to specific users or computers or groups for that matter, you can edit that GPO, go properties security and add the user, computer or group and select “DENY” apply group policy. Make sure you take advantage of adding comments to your GPO’s. Some GPO’s are doing alot and commenting them out will help you remember what they do and if there are any special nuance’s you need to take into consideration.

    • Robert Allen on May 9, 2019 at 12:54 pm

      George great tip. This is a great way to apply GPOs to very specific groups. I need to write a how-to on this, thanks for mentioning this.

    • Baard Hermansen on August 5, 2019 at 5:52 pm

      I find the practice of using Deny to be horrible!
      As soon as there is more than one administrator, or a change of admin employees (new person taking over), that kind of structure becomes rather confusing.
      If you need to use Deny, then you’ve designed the OU structure wrong…

      • Robert Allen on August 16, 2019 at 12:22 pm

        I agree that if it is not documented or communicated it can be a nightmare. But it can also be extremely useful for targeting specific users and computers and to deny it from all users. For example, I have a blanket firewall GPO that all users get for the basic FW settings. I have some users that need FTP on, I create a new security group and only apply this GPO to these users and deny it to all other users. I want to keep all the users in their department OU so moving to another OU is not a good option for this. Targeting a GPO to a security group is great but try not to let it get out of control.

  17. Lewis on June 24, 2019 at 10:15 am

    Best explanation for loopback processing I’ve ever seen. Always slightly confused about what it does. Not anymore 🙂

    • Robert Allen on July 3, 2019 at 11:04 am

      Glad it helped

  18. Andy on July 12, 2019 at 2:48 pm

    What is the best practice for applying a group policy which contains both User and Computer settings?

    Would you apply the policy to both the OU containing the users and the OU containing the computers or would you split the settings into 2 different policies (despite both policies being for the same cause).

    • Robert Allen on July 13, 2019 at 4:25 pm

      I recommend you seperate users and computers into their own OU. If that is not an option I would create two GPOs, 1 for the user settings and 1 for the computer settings.

      • Andy on July 15, 2019 at 11:45 am

        Hi Robert.

        I already have separate OUs for Users and Computers. My question was what would you recommend is the best method if you have a GPO which contains settings for both Users and Computers.

        Would you split the Computer and User settings into 2 different GPOs (i.e. even if they are all for Internet settings) or would you apply the same GPO to both the Users and Computers OUs and therefore have a GPO with Computer settings on a User OU and a GPO with User settings on an OU for just computers?

        Thanks,

        Andy

        • Robert Allen on July 15, 2019 at 11:51 am

          Yes, split it into two GPOs, 1 with just user settings and 1 with just the computer settings. Then you can disable the section that is not used.

Leave a Comment