View Blog

Jul 2013

Good Group Policy Design. What it should "do" for you and your team.

One of the things I get asked about a lot is Group Policy Object “design.”

Design could mean a lot of things. Group Policy Design to me means:

  • What you name your GPOs.
  • What you put inside your GPOs.
  • What GPOs are linked where.
  • OU design.
  • Use of Blocked Inheritance and Enforced properties.

When I perform my (paid) Group Policy Health Check consulting service… these are the kinds of things I look at overall.

To be honest, and I’m just callin’ it like it is here… I don’t usually see ALL of these elements designed well.

Usually ONE, sometimes ALL of these elements are near impossible to discern what’s going on.

Here’s one big overriding tip I can suggest if you decide you want to think about design (or, more likely a redesign.)

Good: Could someone from the outside look at your design and be able to basically figure out what is going on?

Better: Could someone from the outside look at your design and be able to figure out WHY you did it?

Best: Could someone from the outside look at your design and figure out what you did and why you did it, and NOT need any extra documentation?

To be clear: I’m not saying “don’t document your naming conventions” or “don’t make careful notes about what you’re doing and why.”

I *AM* saying that a good design should “jump off the screen” at you. If you got a new boss TOMORROW and you needed to spend 10 minutes explaining WHAT was done and WHY it was done that way… would it make sense based on what you have, in Active Directory (OUs) and the GPMC (GPOs)… TODAY?

Here’s the best (two) parts about GP design:

  • Your design doesn’t have to look like anyone else. It just needs to make sense. 
  • If you screwed it up the first time, it’s not heinous to get it repaired. You do need some direction and a trusted guide though.

If “Cleanliness is next to Godliness” is a real thing, then maybe you should think about getting cleaned up.

If you’re feeling dirty all over right now, here’s your two options: take either my Group Policy training class (Live or Online) or have me perform my (paid) Group Policy Health Check consulting service … you and your company can get cleaned up .. fast.

If you’re serious about either one (training or consulting) then give Laura a call at 215-391-0096 for a quote.

You can also reserve a seat in the next live class (Denver Aug 12 -16, 2013) or get the Online University at

We have limited seats left in the Denver class, and I only take ONE Group Policy Health Check client per month. First come, first served.

See you soon.

Comments (0)

No Comments!