Best practices

This section contains recommendations to help you get the most out of Group Policy, Folder Redirection, and Software Installation

For problem-solving instructions, see Troubleshooting For other sources of information, including links to the World Wide Web, see Resources

Group Policy

Disable unused parts of a Group Policy object.

Under User Configuration or Computer Configuration in the console tree of the Group Policy snap-in, if a Group Policy object contains only settings that are set to Not Configured, you can avoid processing these settings by disabling User Configuration or Computer Configuration. This expedites the startup and logon processes for those users and computers that are subject to the Group Policy object.

For more information, see:

To disable the User Configuration settings in a Group Policy object 

To disable the Computer Configuration settings in a Group Policy object

To prevent an entire Group Policy object from affecting a site, domain, or organizational unit, see To unlink a Group Policy object from a site, domain, or organizational unit and To disable a Group Policy object link These procedures allow you to enable or re-link the Group Policy object at a later time if you want to.

If you never want to use a certain Group Policy object again, see To delete a Group Policy object 

Use the Block Policy inheritance and No Override features sparingly.

Routine use of these features makes it difficult to troubleshoot policy. If you must use them, see To block policy inheritance and To prevent a Group Policy object from being overridden 

Use common-sense naming conventions for Group Policy objects.

It is not advisable, for example, to use the same name for two different Group Policy objects Using the same name for two different Group Policy objects does not cause Group Policy to function incorrectly, but it might be confusing.

 Caution

If you type a name for a Group Policy object that is longer than 255 characters, the name is truncated without warning to 255 characters.

Minimize the number of Group Policy objects that are applied to users in domains or organizational units.

The more Group Policy objects that are applied to a user, the longer it takes for the user to log on.

Filter policy based on security group membership.

Users who do not have an access control entry (ACE) directing that a particular Group Policy object be applied to them can avoid the associated logon delay, because the Group Policy object is not processed for those users.

Filtering can only be done by using membership in security groups. For more information, see To filter the scope of Group Policy according to security group membership 

The ACEs are visible on the Security tab in the properties dialog box for a Group Policy object.

Override user-based Group Policy with computer-based Group Policy only when necessary.

Override user-based Group Policy with computer-based Group Policy only if you want the desktop configuration to be the same regardless of who logs on. The mechanism for doing this is "loopback," an advanced Group Policy setting that is useful in certain closely managed environments, such as laboratories, classrooms, public kiosks, and reception areas. You can find loopback in the console tree of the Group Policy snap-in.

Where?

Group Policy object name  > Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing mode

Use Group Policy rather than System Policy.

Use System Policy only to manage computers that run an operating system that is earlier than Windows 2000 or if you need to manage desktops for multiple users on a stand-alone computer. For more information, see Migration issues

Avoid cross-domain Group Policy object assignments.

The processing of Group Policy objects slows the startup and logon processes if Group Policy is obtained from another domain.

Do not set File System policy on a drive or directory, such as Sysvol, that is replicated by the NTFS file replication system (FRS).

Settings that are under File System in the Group Policy console can cause excessive replication, disk-drive thrashing, and waste of network bandwidth.

Where?

Group Policy object name > Computer Configuration > Windows Settings > Security Settings > File System

Software installation and management

Specify application categories for your organization.

Using categories makes it easier for users to find an application in Add or Remove Programs in Control Panel. You can define application categories, such as Sales Applications, Accounting Applications, and so on. For more information, see To specify categories for applications to be managed 

Make sure that Windows Installer packages are correctly transformed before they are published or assigned.

Remember that transforms are applied to packages at the time of assignment or publication. Transforms (.mst files) are customizations that are applied to Windows Installer packages. A transform is applied at the time of assignment or publication, not at the time of installation. In practical terms, this means that you should make sure that the Modifications tab in the package properties dialog box is set up the way that you want it before you click OK. If you neglect to do this, and you assign or publish a transformed package before you have completely configured it, you can remove the software and republish or reassign it, or you can upgrade the software with a completely transformed version. For more information on how to do this, see To remove a managed application and To upgrade applications Also, see Work with package modifications 

Assign or publish just once per Group Policy object.

It is recommended that a Windows Installer package be used to assign an application or to publish an application no more than once in the same Group Policy object. For example, if you assign Microsoft Office to the computers that are affected by a Group Policy object, do not assign or publish it to the users who are affected by the Group Policy object. For more information, see To assign an application and To publish an application 

Take advantage of authoring tools.

Developers who are familiar with the files, registry entries, and other requirements that are necessary for an application to work properly can author native Windows Installer packages by using tools that are available from various software vendors.

Repackage existing software.

You can use commercially available tools to create Windows Installer packages for software that does not include natively authored .msi files. These tools work by comparing a computer's state before and after installation. For best results, install them on a computer that is free of other application software (clean install).

Use Systems Management Server and Distributed File System.

Microsoft Systems Management Server and Distributed File System (DFS) are helpful in managing software distribution points (the network shares from which users install their managed software).

Assign or publish applications at a high level in the Active Directory hierarchy.

Because Group Policy settings apply by default to child Active Directory containers, it is efficient to assign or publish applications by linking a Group Policy object to a parent organizational unit or domain. Use security descriptors (ACEs) on the Group Policy object for finer control over who receives the software. For more information, see To filter the scope of Group Policy according to security group membership 

Use required, rather than optional, upgrades.

For the correct upgrade procedures, both required and optional, see To upgrade an application 

The Upgrades tab for a package in Software Installation has a Required upgrade for existing packages check box. It is recommended that you select this check box. If two users use the application on one computer, and one user upgrades the application and the other does not, both versions of the application exist on the computer. Some applications do not support this configuration.

You can access the properties dialog box for a package in the console tree of the Group Policy snap-in.

Where?

Group Policy object name  > Computer Configuration (or User Configuration) > Software Settings > Software installation > Package Name 

 

Note

Authenticated Users need the Read and Apply Group Policy ACE to be able to install applications from the software distribution point.

Administrators need Full Control to manage software.

Use Software Installation properties for widely scoped control.

In the Group Policy console, right-click Software installation, and then click Properties.

Where?

Group Policy object name  > Computer Configuration (or User Configuration) > Software Settings > Software installation

Using Software Installation properties saves administrative keystrokes when you assign or publish a large number of packages with similar properties in a single Group Policy object; for example, when all the software is published and it all comes from the same software distribution point. For specific procedures, see Set options for Software Installation

Use Windows Installer package properties for fine control.

Go to Software Installation, as described in the previous best practice, right-click the package in the details pane, and then click Properties. Use this method for assigning or publishing a single package. For specific procedures, see Work with applications 

Folder Redirection

Allow the system to create the folders.

If you create the folders yourself, they will not have the correct permissions.

If you must, or already have, created the folders, the information in the "Folder Redirection permissions" section in the Folder Redirection Help topic might not apply.

Do not redirect My Documents to the home directory unless you have already deployed home directories in your organization.

Redirection to the home directory offers less security than standard folder redirection, and it is offered only for backward compatibility. For more information, see Folder Redirection and To redirect My Documents to the home directory 

If you redirect My Documents to the home directory, and if your users log on to the domain via Terminal Server clients, do not specify a separate Terminal Services Home Directory.

The properties dialog box for a user in Active Directory has a Profile tab, where the Home Folder can be set, and also a Terminal Services Profile tab, where the Terminal Services Home Directory can be set. If these network folders are different, logging on to the terminal server causes the Profile Home Folder to be copied to the Terminal Services Home Directory. Logging off the terminal server causes copying to occur in the opposite direction. This is probably not the intended behavior, and it might result in delay in the logon and logoff processes for users. For more information, see To redirect My Documents to the home directory 

Enable client-side caching.

This is especially important for users with portable computers. For information on how to configure Folder Redirection and Offline Files to work together, see Folder Redirection 

Always enable the "Synchronize all offline files before logging" Group Policy setting.

Where?

Group Policy object name  > Computer Configuration (or User Configuration) > Administrative Templates > Network > Offline Files

Enabling this setting ensures that offline files are fully synchronized and that all the files in the user's redirected folder are available when the user is working offline. If this setting is not enabled, the system performs only a cursory synchronization, and as a result only recently used files are cached.

Use fully qualified universal naming convention (UNC) paths, for example: \\server\share.

Although paths like C:\Foldername can be used, this is not recommended, because the path may not exist on the target computer.

 Caution

Universal naming convention (UNC) paths that are longer than 260 characters are truncated. If the path is truncated, redirection fails.

Have My Pictures follow My Documents.

This practice is recommended, unless there is a compelling reason against it, such as file share scalability.

Remember policy removal considerations.

Remember the behavior that your Folder Redirection policies will have at the time of policy removal, as described in the table of policy removal considerations in Folder Redirection Changing the redirection option to Not configured does not redirect the folder to the user's local profile location. It will continue to be redirected to the previous location. If you want to return the folder to the local user profile location, use the "Redirect to the local user profile" setting, as described in To redirect special folders to the local profile location 

Accept the default settings.

In general, accept the default Folder Redirection settings.



© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies