Group Policy Best Practices

One of the most important structures within the Microsoft Windows managed space is Group Policy. Well-formed Group Policy can manage thousands of elements within a business’ environment that control everything from the look and feel of a system to security features that protect business assets. Well-defined and organized Group Policy rules can be easily managed by teams of administrators with ease of transition through attrition of staff. Poorly formulated policies can cause administrators to frequently re-evaluate an environment and, potentially worse, could adversely affect it with contradictions and confusion.
Group Policy Objects, the rules that apply to individual computers or users, have been around since the early days of Windows Server. Early on, the policies were applied to Organizational Units (OUs) within Active Directory specifically. This made it easy to determine which rules were applied to specific computers or users. Over time, the rule base has become larger and more diverse which made the central management of all policies affecting an organization unwieldy.  In response, Microsoft introduced the Group Policy Management Console as an add-on in Windows Server 2003 and built-in to all subsequent server OS platforms. Within this console, rules can be established and assigned to individual OUs and filtered by various security criteria in one panel.
Like other Microsoft structures, Group Policy rules are hierarchical and applied in a “down the tree” path so that child OUs inherit the rules of the parent folders. This structure can be overridden in specific circumstances. The enforcement of policies are applied in 2 categories; Computer or User. It’s important that administrators fully understand the implications of either choice. In short, rules that are computer-based apply to computer systems (Windows PCs or servers generally) and affect settings that are unique to hardware like screensavers or software installation automation. Rules that affect users are applied to users and user groups, and are tied to the users’ logon. While the concept for these rules can seem obvious at times there are plenty of rules that can be applied on either side. This makes it important for administrators to map out what their specific intentions are and to test to determine which application is most prudent.
Perhaps one of the most useful elements of the Group Policy Management console is the Group Policy Results tool. Administrators can impersonate a user or a computer on the network to determine which policies are applicable and running, which policies are applied but blocked from running, and which policies are not applied at all to a specific user or computer. When a user or computer is not applying a specific policy as expected, this gives an administrator a useful report for determining which rules are problematic in order to resolve the issue.
The application order of Group Policies is often the reason policies are not working properly. For this reason, it’s best to have as few policies applying to one object as possible. Keep in mind that any negation of a rule that occurs after a positive setting on the same object will cause the rule to set that parameter to false. In other words, the last rule to speak on behalf of a particular object wins. It can often be hard for administrators to recognize this, especially if they didn’t design the policy in the first place, and reveals why good notations are paramount.
The last point worth noting is that Group Policy is not the only place where settings can be applied to computers and users. So, it’s important to know where rules can be set and what can take precedence.
The following diagram depicts the hierarchical tree of policy precedence that enables an administrator to determine where rules could be applied or potentially overridden.

In general, administrators should use the assignment of policies sparingly and with careful assessment about rules that may already exist. Once that has been established those policies can potentially be enhanced to include any requested changes in a cleaner manner. Rules should be re-assessed on a scheduled basis for relevance and understanding about what is being applied to a business environment.
Group Policy is a valuable resource in the Microsoft Windows managed space. The rules an administrator can enforce are powerful, but, like any tool, quality management is required so as not to create any self-inflicted issues. Strict company policy should be established around the ability to create and modify policies for maximum benefit and security.