GPO-Curse or Blessing?

I know what you are thinking-is he serious?!?!

Actually I am serious and as someone that has taught AD classes I have to say
that GPO is the heart of AD. It is the most flexible tool to be used to harness the
power of AD. On the other hand I have seen it become a curse when it is overused
or used incorrectly.

In this post I would like to outline the overuse of GPOs. When a large number of
GPOs is created management becomes complicated and in some cases it may become
very complicated.

GPO settings accumulate when several GPOs apply to an object if none of the settings
collide. If the settings do colide the rule of thumb is that the “closest” GPO to the object has
Local settings

If additional factors are involved such as ‘Block inheritance’ or ‘No override/Enforce’ are also
involved it can be quite complicated to decipher which settings apply to a specific object.

That’s the reason why it is recommended to use a minimal number of GPOs.

An additional tool that might help you get out of a bind if you have a large number of GPOs
is the Group Policy Management Console. This tool(add-on) provides a dedicated interface
for managing and more importantly understanding GPOs.

Using this tool you can understand which settings are configured and which GPO(for each)
owns each setting. This can be achieved by using the “Group Policy Results” branch.
The wizard hiding behind the branch enables you to enter the computer and user name you
wish to analyze and provides the exact settings that apply to them on the “Settings” tab found in
the left pane.

You can download GPMC at:

Ok,so I have been dragged to a technical topic when actually all I wanted to say was-Please
do not create too many GPOs… 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *