In-Depth

Group Policy DOs and DON’Ts

Group policy can make your life as an administrator blissful or stressful. Learn from one expert’s experiences what works with group policies, and what doesn’t.

• By Jeremy Moskowitz
• 06/01/2004

Making your life with group policy is the same way. If you could know now what you could only learn from experience, you’d be way ahead of the game. That’s what this article is about: some specific things you should and shouldn’t do when working with the Active Directory gift of group policy.

DO! Download, Install and Use the GPMC
The number one thing you should do, right now, is download and install the Group Policy Management Console at www.microsoft.com/grouppolicy. MCP Magazine has covered the GPMC pretty thoroughly in the March 2004 article, “Group Policy Strategy and Tactics,” and the October 2003 article, “Lighten Up the Group Policy Load.”

It’s the best way to manage your AD Group Policy environment, it’s free, and it can manage either Windows 2000 Server or Windows Server 2003 AD or a mixture. The only requirements? Just one Windows XP or Windows 2003 machine in the environment to load the GPMC bits on, and you’re in business.

DO! Make an Immediate Backup of GPOs
Once the GPMC is loaded, you can do something you’ve likely been meaning to do for quite some time: Get a very accurate backup of your group policy environment. It doesn’t matter if you’ve already deployed 100 GPOs or just have the two default GPOs (Default Domain Controllers and Default Domain Policy) swimming around in the domain—taking a backup now can save your bacon if trouble appears. Fire up the GPMC and drill down in Group Policy Management | {Your Forest} | {Your domain} | Group Policy Objects. Then simply right-click over that Group Policy Objects node and select “Back up All…” as seen in Figure 1.

Figure 1. Make backing up your GPOs a high priority. (Click image to view larger version.)

When you do, you’ll be asked precisely where to store this backup. When you perform the backup, simply select a secure backup storage location. The GPMC will do the rest, backing up each and every GPO for safekeeping. If you need to restore a GPO, select Manage Backups.

DON'T! Deploy GPOs Without Testing
This is one of the top mistakes admins can make when rolling out GPOs. While implementing GPOs, there are a bazillion settings you can Enable, Disable or leave unconfigured. Some policies, such as Internet Explorer maintenance, Software Restriction Policies and Restricted Groups can be especially tricky to work with. Without fully testing your GPOs before deployment, you could be in a world of hurt when a policy setting affects one, 10 or 10,000 client machines in a way you don’t expect. When implementing a policy setting, of course, do read the “Explaintext” that explains how it works. However, that’s not a guarantee that it will, indeed, work in that capacity. That’s precisely what service packs have adjusted over the years. Those problems are few and far between, but without testing first, you don’t know what to expect in production. In order of precedence, you would ideally first test your GPOs in a separate domain (or test forest). If you don’t have a full test lab, you could alternatively just set up an OU and link the GPOs you want to test to that OU. Once tested, you can be more confident in linking that GPO to a location in production.

DON'T! Perform Cross-Domain and Cross-Site GPO Linking
One of the biggest mistakes group policy admins can make is to have users and computers mistakenly download and process a GPO stored in another domain. This can happen in multiple ways. The three most common are:

The administrator uses the old-school interface to create a GPO linked to a site. When he does this, the interface will simply link the GPO to the root domain.

The administrator uses the GPMC to link to an existing GPO. This GPO is simply in another domain. The administrator doesn’t think twice about the consequences.

The administrator uses the GPMC to drag and drop a GPO from one domain to another. On the surface, this looks like it’s a copy operation—but, in reality, it’s a cross-domain link.

In all cases, the result is the same. Imagine this scenario: There are two domains—Demo.com and China.demo.com. If there are GPOs that determine the Site policies for New York, they’re contained (by default) within domain controllers in the root domain (in this case, China.) But remember: The users who need that GPO are in the New York site. That means the computers for users in New York need to contact a DC in China to grab the GPOs from across the WAN in order to process them!

To verify what domain a specific GPO is actually stored in, click the GPO and select the Details tab. The Domain field will verify that the GPO is actually contained within the domain you want.

DO! Take Advantage of the Scripting Interface
I’m not a scripting wizard by any stretch of the imagination. But I do know a good thing when I see it. And the built-in scripts that ship with the GPMC are hidden nuggets of treasure waiting to be explored.

When the GPMC is loaded on a computer, these scripts are loaded along with it. They’re located in C:\Program Files\GPMC\scripts, and I think you’ll find them quite useful. Indeed, the “FindSOMsWithExternalGPOLinks.WSF” can help you root out any cross-domain links as described in the previous DON’T. Figure 2 shows where external links from two GPOs from widgets.corp.com are being used within the corp.com domain. If the corp.com had 500 GPOs, it could take hours to track down this information manually. With this script, it takes seconds.

Figure 2. Using a simple script like this one, an hours-long search is reduced to seconds. (Click image to view larger version.)

The good news about the scripting interface is that you can do just about everything in a script you can do in the GPMC itself—except one thing. The only thing you can’t do is to manipulate the policy settings inside a GPO. That’s the breaks for this implementation; but I suspect that will change and additional ability to script inside the GPO will be available in the future.

A Final DO! and DON'T!
In the words of the immortal Douglas Adams: “DON’T Panic!” Especially if Group Policy seems overwhelming. It’s a big, big, big world inside the GPMC and an even bigger world inside the Group Policy Object editor. DO get some training on Group Policy if you can, from a reputable source.