Design considerations for Group policy

Hello All,

Hope this post finds you in good health and spirit.

This post is regarding best practices for group policy deployment in active directory domain services.

The following should be considered for designing group policies.

  • Do not modify default domain and domain controller policies– please use default policies for password related policy only. for baseline settings, please use another group policy and link to domain and domain controller OU.
  • Implement straightforward policies for easy troubleshooting-Please minimize block inheritance, No override and filtering. so it is easier to find out the source of specific setting.
  • Use GPO naming convention– Please do not give any name to any group policy , name should be on group policy setting and scope. e.g if you are creating the group policy for client machines and applying to specific computers, please follow the below gpo naming convention. This is one of example for client related GPO naming convention.


Example – CL-C-BaselineConfig-FA

CL– Client machines

U– User Settings

C– Computer settings

FA/FD/WMI– Filter apply and denied

ST– Site

SVR– Server

DC-Domain Controller

  • GPO setting name-please give the name that indicate the GPO configuration. if GPO is related to computer baseline then use BaselineConfig in GPO name.
  • FA/FD/WMI– Filter apply or Filter denied. If you are going to apply the GPO to specific computers or users then please use the FA in end of group policy name that will indicate the GPO is filter applied that means its only applying to set of users instead all.
  • Minimize linking– Because there may be a chance deleting the original one with seeing who else are using this GPO.Minimizing linking for simplicity.
  • Disable unused part of a group policy object-Group Policy has two components- Computer and User configurations.Only settings that are Not configured, then avoid processing those settings by disabling the unused configuration.
  • Minimize number of GPO’s applied to user or computer-It is better to include many settings in single GPO instead of creating multiple GPO . Microsoft suggests that one GPO with 100 settings will process faster than 100 GPOโ€™s each with one setting.
  • Avoid Linking GPO’s between Domains-Linking GPO across domains has an impact to processing of policies which result in slower user logons.
  • Minimize filtering-To keep simple your environment, try to minimize filtering.

Note: If you have more number of GPOโ€™s for a container, what ever GPO is on top will applied first. If you want you can move GPOโ€™s up and down.

Note: If there is conflict between two GPOโ€™s of same container, the last applied GPO will be effective. i.e., the bottom one will be effect

So, thatโ€™s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please donโ€™t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!