Thursday, September 9, 2010

And Now for Yet Another Post on Group Policy (This one is most important)

I know I've already blabbered to death about Group Policy, GP Prefs, testing and labs, and whatever, but I made a huge goof. Yep. I overlooked one key aspect to Group Policy. A huge aspect. THE most important aspect.

Before you start making or modifying GPOs. Before you start making test OUs and test accounts. Before you build a test lab environment. Before you design and rollout your shiney new AD environment. Before you start working on USMT migration plans...

Part 1 - Document what you need to accomplish!

The results you expect to get from going through the effort of a new AD environment, or an AD migration, will be dictated by your design. The sites and site links and replication mess are one thing, but the way you need to manage resources is also as important.

Decide (and document) what controls and settings you need in place across all or portions of your new AD environment. How will settings need to be applied and filtered to certain locations, users and groups or machines, will guide your Group Policy design. The Group Policy design will dictate (to a large extent) how your AD logical design can be done. This is no trivial subject. It may take longer than you would expect.

Do this on a whiteboard or on paper. Stay away from a computer. The tools will distract you from this thought process, trust me. Draw it out and make all your changes before you start formalizing them on a computer. Then take the results into your lab and see if it works.

Think of this like designing a school. You can't know how big to build the school until you decide how big the rooms need to be, how many rooms, how many hallways, etc. And you can't determine that without knowing how many students in what grade levels will be sent to it.  That will tell you how many teachers, buses, cafeteria seats, kitchen space, and parking spaces you'll need as well.

Group Policy controls the environment by way of logical links and applicability filters. User vs Computer settings against user or computer OUs, and then comes WMI filters, blocking, enforcement, ordering and (my favorite) loopbacks. Whether you need (or want) to apply settings by groups, by departments, by locations, by operating system, by hardware, by language or by time zone, will point you towards the logical AD design to allow that.

Part 2 - Simplicity First

The old saying is true: "Just because you CAN do something, doesn't mean you SHOULD".  It definitely holds true for Group Policy implementation.  Do not jump in and try to do everything at once! Start small. Begin with listing the controls you *absolutely* need. Then list the "nice-to-have" items separately. Keep them separate!!! Even if they happen to fall in the same GPO tree as one of your "gotta-haves". Isolate GPOs by what they control. Don't mix settings. Printer settings and IE settings should be in separate GPOs. Putting more settings in fewer GPOs only makes it more difficult to troubleshoot problems and it becomes difficult to split them later on. Remember: Baby steps.

Ok. I just wanted to post this and get it done. You may now continue with your regularly scheduled boring life, already in progress...

Post a Comment