Disabling half of a GPO

One controversial option that exists for every Group Policy Object is the ability to disable half of its settings. Namely, you can easily select to disable the entire set of computer settings (allowing only the user settings to work), or you can disable all user settings (which allows only computer settings within the GPO to function). The purpose of this capability is to speed up Group Policy processing when a machine boots or a user logs in. Oftentimes, we create GPOs with specific purposes in mind. Usually, the settings that we plug into a GPO are only ever going to be on one side of the house or the other. It is quite rare that you would create a GPO that contains both user and computer settings; typically, you would want to scope user and computer settings separately and so you would create separate GPOs to contain those settings. When Group Policy processes its settings, it runs through all of the settings in each GPO. This happens very fast, but what about in an environment with 400 GPOs? If you were able to disable the unused half of each GPO, that literally cuts in half the amount of time and processing power that Group Policy needs when running a refresh on a machine, which can become substantial.

Why is this option controversial? Because it is easy to forget that you have flagged a GPO to be halfway disabled. Imagine the troubleshooting hours that you may have to put into a setting that you have added to a GPO but simply isn't working no matter what you try. After banging your head against the wall for hours looking into links, scopes, and filtering options, you may only then stumble on the screen where it allows you to disable large parts of a GPO and discover that the setting you are putting into place is being ignored because someone set the GPO to be half disabled.

All in all, I believe that if you are aware of this option and how to check its status, then it is safe to use and can speed up logon times in your environment. Most of the time, when I build GPOs, I am only putting computer settings into that GPO, and usually I am creating GPOs that I don't want anyone to manipulate down the road, so I frequently disable the User Configuration settings part of my GPOs. Let's take a look at this option together, so that you know exactly where to configure it, and where to check to find out whether or not this option is configured for any GPO in your environment.

Inside GPMC, expand your Group Policy Objects folder and click on any GPO that exists in your environment. Then, on the right-hand side of the screen, click on the Details tab. Here, you can see some statistical information about the GPO itself, and at the bottom is an option labeled GPO Status that contains a drop-down list of options:

The options are as follows:

  • Enabled: This is the default status for any GPO. This means that the GPO will process both user and computer settings when it applies to an object.
  • Computer configuration settings disabled: Select this option to immediately disable all processing of the computer settings within this GPO. Only user-side items will function.
  • User configuration settings disabled: Select this option to immediately disable all processing of the user settings within this GPO. Only computer-side items will function.
  • All settings disabled: This option will cause all settings within a GPO to stop functioning, effectively disabling the GPO. This option is rarely used, but could be useful if you ever had the need to immediately stop some settings from getting pushed into place. Disabling or unlinking GPOs could also work, but that generally means you are disabling multiple links, which takes more time, and then you have to do all of that work again when it comes time to turn the GPO back on. By disabling it at this level, you have one single click to immediately and effectively disable the entire GPO. All settings disabled can also be useful when building out a new GPO. Maybe you need to input a whole list of settings into a GPO, but you already have it linked out to some OUs and you don't want these settings to start rolling out to the client computers before you finish populating the GPO with all of the remaining settings. By temporarily disabling the GPO inside the Details screen, you will stop that GPO from putting any settings out in the wild until you have confirmed it is 100% ready to roll.
You don't have to find and click on the actual GPO in order to make this GPO status change. If you were to instead click on any link associated with that GPO, you would also be able to manipulate this drop-down box. Remember that this change affects the entire GPO and will also change the settings for any other links that are hooked to this GPO!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.93.9