Unified Directory - GPO Guidelines

Article Purpose

Standards and best practices for creating and maintaining Microsoft Group Policy Objects (GPO) in the Unified Directory (UD).

Planning

  • Establish consensus as appropriate to your school, college, department, group
  • Consider ramifications of each policy applied
  • Communicate your GPO plan to affected users
  • Follow UA Unified Directory (UD) guidelines for managing GPO's

Creation

  • Follow UA UD standard naming conventions. The recommend naming standard for Unified Directory Group Policy Objects (GPOs) is:
    MAU_GeoCampus_Org_GPOName

    Where MAU the Major Academic Unit your group is affiliated with (e.g. UAA, UAF, UAS, SW), GeoCampus is the geographical location abrevation this policy will be used (e.g. anc = Anchorage, krc = Kenai, etc.), Org is the short abreviation of your group and/or sub-group, and GPOName is a descriptive name that explains the purpose of the GPO. This naming standard is important because it is the primary mechanism to prevent OU Managers form accidentally linking another admin's GPO to their OU.
  • OU Admins should document their GPO's in a manner describe above
  • The use of "Blocking Policy Inheritance" is not supported in the UA UD. Applying a Policy Inheritance Block may interfere with approved domain policies.
  • The use of "Deny Access Control Entry (ACE)" while filtering GPO's is not suppored in UA UD. Denying ACE's could; lead to increased time spent troubleshooting GPO's, add unnecessary comlexity to the implementation of GPO's, and/or disrupt the user's environment. OU Admins can use group filtering as an alternative to using a "Deny ACE"
  • OU Admins should contact interested/affected users in a timely manner when polices are created/newly applied to users.

How Group Policies are Applied

  • Inherited and cumulative GPO's will affect all computers in an OU if not filtered.
  • Processed in the following order: local (workstation), site, domain, and OU
  • As each policy is processed, its settings are merged into the registry
  • If multipe policies are applied to a computer, the effective policy is the result of merging, in order, all polices defined for the computer

UA UD Policies on GPOs

  • OU Admins are the only authorized parties to change/delete GPO's in their Organization Unit
  • OU Admins should contact interested/affected users in a timely manner when polices are being changed or deleted
  • Changed/Deleted GPO's must be documented
  • Documentation for deleted GPO's should remain in the documentation folder for 1 year.