Designing Your Group Policy Model
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Your primary objective is to design the GPO structure based on your business requirements. Keeping in mind the computers and users in your organization, determine which policy settings must be enforced across the organization, as well as which policy settings are applicable to all users or computers. Also determine which settings to use to configure computers or users according to type, function, or job role. Then group these different types of policy settings into GPOs and link them to the appropriate Active Directory containers.
Also, keep in mind the Group Policy inheritance model and how precedence is determined. By default, options set in GPOs linked to higher levels of Active Directory containers —sites, domains and OUs — are inherited by all containers at lower levels. However, inherited policy can be overridden by a GPO that is linked at a lower level. For example, you might use a GPO linked at a high level for assigning standard desktop wallpaper, but want a certain OU to get different wallpaper. To do so, you can link a second GPO to that specific lower-level OU. Because lower-level GPOs apply last, the second GPO will override the domain-level GPO and provide that specific lower-level OU with a different set of Group Policy settings. However, you can modify this default inheritance behavior by using Block Inheritance and Enforced.
Figure 2.4 illustrates the steps detailed in this section.
Figure 2.4 Group Policy Design Model
The following guidelines can help tailor your Group Policy design to the needs of your organization:
Determine if there are any policy settings that must always be enforced for particular groups of users or computers. Create GPOs that contain these settings,link them to the appropriate site, domain, or OU, and designate these links as Enforced (formerly known as No Override). By setting this option, you enforce a higher-level GPO’s settings by preventing GPOs in lower-level Active Directory containers from overriding them. For example, if you define a specific GPO at the domain level and specify that it is enforced, the policies that the GPO contains apply to all OUs under that domain; GPOs linked to the lower-level OUs cannot override that domain Group Policy.
- Use the Enforced and Block Policy Inheritance features sparingly. Routine use of these features can make it difficult to troubleshoot policy because it is not immediately clear to administrators of other GPOs why certain settings do or do not apply.
Decide which policy settings are applicable to the entire organization and consider linking these to the domain. You can also use GPMC to copy GPOs or import GPO settings, thereby creating identical GPOs in different domains.
Link the GPOs to the OU structure (or site), and then use Security Groups to selectively apply these GPOs to particular users or computers.
Classify the types of computers and the roles or job function of users in your organization, group them into OUs, create GPOs to configure the environment for each as needed, and then link the GPOs to those OUs.
Prepare a staging environment to test your Group Policy-based management strategy before deploying GPOs into your production environment. Think of this phase as staging your deployment. This is a crucial step toward ensuring that your Group Policy deployment will meet your management goals. This process is fully detailed in "Staging Group Policy Deployments," in this book.