What to do With Your Group policy’s

Group policy’s are common and easy to use , but in the old day’s there where only a few GPO’s but now there are settings for every box in windows.

Let say you have 3000 GP in your windows 2003 native AD how to manage this you have 8 domain Controllers in three locations, and everybody in creating en editing this GPO’s. All doing this in his own way one on his windows xp desktop SP1 other on SP2,SP3 etc and others on the DC’s and others on the server’s. where is the ADM file version and what happens with the GPO if there are different languages in the domain ?

I think this is common in most networks. That is why you have to think about this. just make sure that not all system engineers are able to edit the GPO’s and that GPO management is done from one location a GPO server.

Enhancing Group Policy through change management

Adavanced Group Policy Management (AGPM) Microsoft Advanced Group Policy Management (AGPM), a core component of the Microsoft Desktop Optimization Pack for Software Assurance, makes it easier for IT organizations to keep enterprise-wide desktop configurations up to date, enabling greater control, less downtime, and reduced total cost of ownership (TCO).

A Tour of Advanced Group Policy Management

This white paper is an overview of Microsoft Advanced Group Policy Management (AGPM)

So now that You have setup the AGMP server you did take a peek in the sysvol almost 4000 MB just ADM files !.Microsoft Advanced Group Policy Management (AGPM)

No wonder logon times are LONG. So just Remember Use only the templates that are needed default this is not the case.

How do we fix this First we take a look at the GPO and see if the GPO is a computer or a use GPO or both.

If it is a computer GPO you do not need the user configuration so we can turn this off

clip_image001[4] Just set one or none checkbox ( not both )

Now we go inside the GPO check the templates like below if it is a security setting only you don’t need templates at all so remove the files.

Microsoft Advanced Group Policy Management (AGPM) Microsoft Advanced Group Policy Management (AGPM) Now that We fixed this the size is down a lot clip_image001[6] so cleaned up a bit from 4000 MB to 450 MB wow . But what about the replication ?

Yes the files are in the sysvol and with every change the whole thing gets replicated between the DC’s !

We are using a single server for management and only there we can use the templates on this location we use always the latest ADM files and not all admins have access to this. Great but what about the replication well did you know you can filter this.

image  no this is not the site and services MMC it is in the users and computers mmc

image  Make sure you run the mmc in advanced mode , go to the FRS , Domain System Volume and check the properties. put the *.ADM file in and you are ready to go.

Make a good backup of the Sysvol folder. Now you can delete the ADM files on the DC that does not hold the AGPM. or if you use a member server for AGPM than make sure only one DC has the ADM files use the server that hold the FSMO roles, for performance reasons the FSMO roles are all on the same DC. just make sure the roles can be moved to other DC’s.

Test this in your LAB and see if it can work for you. here it saved a lot of time but the one place GPO editing is a bit a pain but in a few weeks nobody knows how it was in the past.

Posted June 23, 2010 by Robert Smit in Security

Tagged with

  • Tag