🛡️

GPO Management Best Practices

Jun 20, 2025

Summary

  • The meeting reviewed best practices for structuring Group Policy Objects (GPOs) in Active Directory, focusing on application order, precedence, and troubleshooting.
  • Attendees discussed scenarios where applying restrictive and relaxed GPOs at various AD container levels is necessary to balance security and operational needs.
  • The process for evaluating resultant set of policy (RSOP) and methods for troubleshooting GPO application were demonstrated, using Group Policy Management Console.

Action Items

  • None were specified in the transcript.

Structuring and Applying GPOs

  • It is common to have multiple GPOs for different needs, resulting in many policies linked at different AD hierarchy levels.
  • Best practice: link a restrictive, secure baseline GPO to the entire domain for default security, then relax policies as needed for specific users or OUs (e.g., enabling macros for finance).
  • Multiple GPOs may intentionally contradict each other; the AD GPO application order determines outcomes.

GPO Processing Order and Precedence

  • GPOs are applied in the following order: AD site → domain → parent OUs → child OUs, from least to most specific container.
  • If multiple GPOs are linked to the same container, their “link order” determines precedence; highest numbered link (lowest ranked) applied first, and lowest number (highest ranked) applied last.
  • The last GPO to set a particular policy wins in case of conflict.

Reviewing GPO Inheritance and Resultant Set of Policy (RSOP)

  • GPO inheritance and precedence can be viewed in Group Policy Management Console (GPMC), which shows where each policy is linked and which will win.
  • Site-level GPOs may not always be visible in OU-based GPMC views due to complex AD structures.
  • The cumulative result of all policies applied to a machine is called the Resultant Set of Policy (RSOP).

Using GPMC to Troubleshoot GPO Application

  • The Group Policy Results Wizard in GPMC can generate RSOP reports for specified computers and users, provided the computer is online and accessible.
  • The RSOP report details applied policies, winning GPOs, and account context, helping troubleshoot conflicts/expectations.
  • Remote querying may fail if the target machine is powered off, network-inaccessible, blocked by firewall, or if the requester lacks local admin rights; in such cases, local commands must be used.

Decisions

  • Use of restrictive domain-wide GPO with relaxed policies at OU level — to maintain a secure default while supporting exceptions for operational needs.

Open Questions / Follow-Ups

  • None noted in the transcript.

View note sourcehttps://d3c33hcgiwev3.cloudfront.net/cVZKl-YcRhSbuJYN--PGvA.processed/full/720p/index.mp4?Expires=1750550400&Signature=KI9NwAIkdzllSxKeToYQJaO7k-evAvuKynEWTXGnXLnNQVC3erbIvbtppI~AbxWT2DlC583VwF2A0ppkxxBDYB3CJqfPYrtVSk0JKXEepazBf~wHM96~amJvgb0fPirOz0LmpQngHjbgRTZhp~MjcuiP13k4a7phszk-5heeL2M_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A