Best practices for Group Policy objects

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices for Group Policy objects

Do not process policy settings that are not configured.

Use Block Policy inheritance and No Override sparingly.

Do not use the same name for different Group Policy objects.

  • By using the same name for two different Group Policy objects, you do not cause Group Policy to function incorrectly, but you might cause confusion. For more information, see Group Policy objects.

Caution

  • If you type a name for a Group Policy object that is longer than 255 characters, the name is truncated without warning to 255 characters.

Minimize the number of WMI Filters used with Group Policy objects.

  • The more WMI Filters that are applied to a Group Policy object, the longer it will take to process the object.

Filter policy based on security group membership.

  • Users who do not have an access control entry (ACE) directing that a particular Group Policy object be applied to them can avoid the associated logon delay, because the Group Policy object is not processed for those users.

  • Filtering can only be done by using membership in security groups. For more information, see Filter the scope of Group Policy according to security group membership.

  • To see the ACEs, click the Security tab in the Properties dialog box for a Group Policy object.

Override user-based Group Policy with computer-based Group Policy only when necessary.

  • Override user-based Group Policy with computer-based Group Policy only if you want the desktop configuration to be the same regardless of who logs on. The mechanism for doing this is called loopback, an advanced Group Policy setting that is useful in certain closely managed environments, such as laboratories, classrooms, public kiosks, and reception areas. The User Group Policy loopback processing mode policy setting is located in Group Policy Object Editor. For more information, see Order of processing settings.

Use Group Policy rather than System Policy.

  • Use System Policy only to manage computers that run an operating system that is earlier than Windows 2000 or if you need to manage desktops for multiple users on a stand-alone computer. For more information, see Migration Issues.

Avoid assigning Group Policy objects across domains.

  • The processing of Group Policy objects slows the startup and logon processes if Group Policy is obtained from another domain.

Do not set File System policy on a drive or directory, such as Sysvol, that is replicated by the NTFS file replication system (FRS).

  • Settings that are under File System in Group Policy Object Editor can cause excessive replication and can waste network bandwidth. For more information, see File System security settings.