Group policy’s are common and easy to use , but in the old day’s there where only a few GPO’s but now there are settings for every box in windows.
Let say you have 3000 GP in your windows 2003 native AD how to manage this you have 8 domain Controllers in three locations, and everybody in creating en editing this GPO’s. All doing this in his own way one on his windows xp desktop SP1 other on SP2,SP3 etc and others on the DC’s and others on the server’s. where is the ADM file version and what happens with the GPO if there are different languages in the domain ?
I think this is common in most networks. That is why you have to think about this. just make sure that not all system engineers are able to edit the GPO’s and that GPO management is done from one location a GPO server.
Enhancing Group Policy through change management
Microsoft Advanced Group Policy Management (AGPM), a core component of the Microsoft Desktop Optimization Pack for Software Assurance, makes it easier for IT organizations to keep enterprise-wide desktop configurations up to date, enabling greater control, less downtime, and reduced total cost of ownership (TCO).
No wonder logon times are LONG. So just Remember Use only the templates that are needed default this is not the case.
How do we fix this First we take a look at the GPO and see if the GPO is a computer or a use GPO or both.
If it is a computer GPO you do not need the user configuration so we can turn this off
Now we go inside the GPO check the templates like below if it is a security setting only you don’t need templates at all so remove the files.
Yes the files are in the sysvol and with every change the whole thing gets replicated between the DC’s !
We are using a single server for management and only there we can use the templates on this location we use always the latest ADM files and not all admins have access to this. Great but what about the replication well did you know you can filter this.
Make a good backup of the Sysvol folder. Now you can delete the ADM files on the DC that does not hold the AGPM. or if you use a member server for AGPM than make sure only one DC has the ADM files use the server that hold the FSMO roles, for performance reasons the FSMO roles are all on the same DC. just make sure the roles can be moved to other DC’s.
Test this in your LAB and see if it can work for you. here it saved a lot of time but the one place GPO editing is a bit a pain but in a few weeks nobody knows how it was in the past.