The dos and don'ts of Group Policy naming
In his new monthly column, Kingsley Starling will be discussing all things technical relating to Desktop Deployment and Desktop Management and this first edition focuses on what's good when naming Group Policies and what's not.
Thinking of a good naming convention for objects in a network environment is harder than it sounds for a lot of IT administrators. Naming Group Policies though is probably the easiest out of all the other objects within your Active Directory environment when compared to computers, users, groups, sites etc.
That said, it seems the one thing that's not included is naming convention designs and I’ve visited many customer sites and seen quite an interesting array of different names for Group Policies.
Remember that the renaming of GPOs does not interfere with users at all; it is purely a name for your IT administrators to use. Tackle the job bit-by-bit.
I have a naming convention that I use at almost every customer I engage with where I’m involved in Group Policies, which I think can help make life a bit easier.
The idea of this naming convention is to be:
· Easy to implement
· Provide quick access to the policy you need
· Help differentiate between computer and user policies
· Help IT administrators in the maintenance of policies
First, a bit of background to the policies that I create as this could help in the understanding of the naming convention.
For each object that will have a Group Policy Object (GPO) applied to them, I have a baseline GPO that typically includes settings that all objects require that tend not to change frequently, followed by incremental policies to tweak the target object further.
I then split the policy settings such that a GPO has configuration for either computer OR user; not both. (There are exceptions to this general rule of thumb that I’ll touch on later). Having a GPO that focuses only on computer settings, allows you to disable the user portion of the GPO and vice versa.
Keeping these two points in mind when looking at the naming convention, the GPO name is in the form of Type Focus Description.
Where:
· Type = Mandatory, Baseline or Incremental
· Focus = Computer, User, Both, Domain Policy, Domain Controllers Policy, Server
· Description = A description of what the GPO is doing and typically only used for an Incremental policy
When viewing the GPO container with the Group Policy Management Console (GPMC), you’re presented with a list of GPOs that is easy to view and grouped together regarding type and focus.
For example, the list of GPOs could look like this:
· Baseline COMPUTER
· Baseline SERVER
· Baseline USER
· Incremental BOTH Group Policy Administration
· Incremental COMPUTER BitLocker and TPM
· Incremental COMPUTER Blocking Internet Explorer 7
· Incremental COMPUTER Office 2003
· Incremental COMPUTER Power Management
· Incremental COMPUTER Security Hardening
· Incremental COMPUTER Software Installs
· Incremental COMPUTER Software Restriction
· Incremental COMPUTER WSUS
· Incremental SERVER Application
· Incremental SERVER Domain Controller
· Incremental SERVER Exchange
· Incremental SERVER File and Print
· Incremental SERVER IIS
· Incremental USER Internet Explorer
· Incremental USER Look and Feel
· Incremental USER Office 2003
· Incremental USER Office 2007
· Incremental USER Redirected Folders
· Incremental USER Removable Storage Device Installation
· Incremental USER Removable Storage Device Access
· Mandatory Domain Controllers Policy
· Mandatory Domain Policy
As can be seen, the GPOs are grouped together depending upon their focus. In the examples above I’ve kept the description fairly short. By all means expand on this to give yourself even more detail on the focus of the GPO.
For example, you may wish to specify the ‘Incremental COMPUTER Software Restriction’ to state exactly what you are restricting. You could then have the following policies:
· Incremental COMPUTER Software Restriction iTunes
· Incremental COMPUTER Software Restriction Google Updater
· Incremental COMPUTER Software Restriction Minesweeper
· Incremental COMPUTER Software Restriction VB Scripts
For those that are thinking this is a massive job to rename your 100s of GPOs, and as such is probably not going to get done, remember that the renaming of GPOs does not interfere with users at all; it is purely a name for your IT administrators to use. Tackle the job bit-by-bit.
Also, if you are thinking that most if not all of your GPOs contain settings for both users and computers and so you can’t use the COMPUTER or USER focus, now is a good time to split the GPO up into these categories. Doing so will help in understanding exactly what the GPO is doing and can often result in realising that part of the GPO is actually redundant.
One final point, there are some policies where you would have both computer and user settings enabled. The example list above shows the GPO for Group Policy Administration, this is setting policies to ensure administrators of GPOs always use the most up-to-date ADM templates. Another example of where I would have both computer and user settings in a GPO is a loopback policy. So where possible, split the settings into different GPOs, but there are times when it is needed, or best, to keep them together.
About the author: Kingsley Starling has been providing infrastructure consultancy in Microsoft technologies for over 11 years. He specialises in Active Directory and Group Policy infrastructure designs as well as planning and implementing automated deployment solutions. Kingsley provides his services to medium and large organisations through his company Konsultancy.