Best practices for Group Policy objects
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Best practices for Group Policy objects
Do not process policy settings that are not configured.
If a Group Policy object contains only settings that are set to Not Configured, you can avoid processing these settings by disabling User Configuration or Computer Configuration. This expedites the startup and logon processes for those users and computers that are subject to the Group Policy object. For more information, see Disable the User Configuration settings in a Group Policy object, Disable the Computer Configuration settings in a Group Policy object, User Configuration and Computer Configuration.
To prevent an entire Group Policy object from affecting a site, domain, or organizational unit, see Unlink a Group Policy object from a site, domain, or organizational unit and Disable a Group Policy object link. With these procedures, you can enable or re-link the Group Policy object.
If you never want to use a certain Group Policy object again, see Delete a Group Policy object.
Use Block Policy inheritance and No Override sparingly.
- Routine use of these features makes it difficult to troubleshoot policy. If you must use them, see Block policy inheritance and Prevent a Group Policy object from being overridden.
Do not use the same name for different Group Policy objects.
- By using the same name for two different Group Policy objects, you do not cause Group Policy to function incorrectly, but you might cause confusion. For more information, see Group Policy objects.
- If you type a name for a Group Policy object that is longer than 255 characters, the name is truncated without warning to 255 characters.
Minimize the number of WMI Filters used with Group Policy objects.
- The more WMI Filters that are applied to a Group Policy object, the longer it will take to process the object.
Filter policy based on security group membership.
Users who do not have an access control entry (ACE) directing that a particular Group Policy object be applied to them can avoid the associated logon delay, because the Group Policy object is not processed for those users.
Filtering can only be done by using membership in security groups. For more information, see Filter the scope of Group Policy according to security group membership.
To see the ACEs, click the Security tab in the Properties dialog box for a Group Policy object.
Override user-based Group Policy with computer-based Group Policy only when necessary.
- Override user-based Group Policy with computer-based Group Policy only if you want the desktop configuration to be the same regardless of who logs on. The mechanism for doing this is called loopback, an advanced Group Policy setting that is useful in certain closely managed environments, such as laboratories, classrooms, public kiosks, and reception areas. The User Group Policy loopback processing mode policy setting is located in Group Policy Object Editor. For more information, see Order of processing settings.
Use Group Policy rather than System Policy.
- Use System Policy only to manage computers that run an operating system that is earlier than Windows 2000 or if you need to manage desktops for multiple users on a stand-alone computer. For more information, see Migration Issues.
Avoid assigning Group Policy objects across domains.
- The processing of Group Policy objects slows the startup and logon processes if Group Policy is obtained from another domain.
Do not set File System policy on a drive or directory, such as Sysvol, that is replicated by the NTFS file replication system (FRS).
- Settings that are under File System in Group Policy Object Editor can cause excessive replication and can waste network bandwidth. For more information, see File System security settings.
Do not link a Group Policy object to the same organizational unit more than once.
When more than one link for the same organizational unit is applied to a single object, the client-side Group Policy extension may interpret the links differently and produce unexpected resultant set of policy.