Active Directory and GPO – Going back to the Fundamental

Going back to fundamental

When I say going back to fundamental, what I mean is actually – One should do proper design and planning before implementation.

Active Directory Service

During the past few months, I have been working on designing an enterprise level Active Directory Service. Then I realised something – most people feel that Active Directory Service mainly serves as network logon for domain users. Domains are created by simply launching the command “dcpromo” and all the namespace are created on the spot. Some people may be laughing when reading this but its true out there.

Going back to the fundamental, one should spend more time on designing and testing before execute the plan. This is taught as part of a module during my school days and I believe in it a lot, a lot. Just to share my personal experience is that proper planning can really help to avoid many predictable issues.

One were to ask where to lookout for information for planning for Active Directory, I will usually recommend them the site from Microsoft which is the “Infrastructure Planning and Design”. One can download many guides for Microsoft infrastructure technologies such as Active Directory Certificate Service, Active Directory Domain services, File Service, MED-V, Internet Information service and many more!

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=ad3921fb-8224-4681-9064-075fdf042b0c&displaylang=en

What I advise is to download the Active Directory Domain Service and spend time to plan out properly. The reason why is because all other services integrate/rely on the Active Directory. Therefore, any issue to the Active Directory due to poor planning may affect other services in the infrastructure.

Group Policy Objects (GPO)

My recent encounters recently is that people knows  about Group Policy Objects when we design Active Directory Service, but they do not understand what and how GPO works… 

I would like to use this chance to state something clearly is that Active Directory Service and Group Policy Objects are 2 separate component. They are just closely integrate very closely together. Why I see is that way is because, we can deploy Local Group Policy Objects (LGPO)even there is Active Directory Service or not.

Therefore, during any consultant session, if you never indicate that you need consultant service on GPO during Active Directory Service consultant service, do not be shock that the consultant firm will tell you that GPO is not part of the scope of work.

My advise to IT Pro out there is that they should learn how to use GPO – Local and Domain and with in-depth understanding and properly planning. Why? It is because domain GPO can really help to IT pro to manage their IT Environment. For example, I can use GPO to deploy software (mainly MSI format), standardize client machine settings, lockdown client machine; And with Group Policy Preference (GPP), one can deploy TCPIP printers without using any complex script and many other settings. Smile

So, if anyone were to ask me about GPO, I will recommend them to read the following sites to under what GPO can do first.

Group Policy Collection

http://technet.microsoft.com/en-us/library/cc779838(WS.10).aspx

How Core Group Policy Works – READ THIS!!

http://technet.microsoft.com/en-us/library/cc784268(WS.10).aspx

Conclusion

Both AD and GPO integrates closely together. During planning, one should plan out AD and GPO together (If client ask for it, if not, do cater for changes). Therefore, under Planning of AD, during planning of the Organization Unit (OU) structure, you need plan with the thought of “How can GPO be applied?” in your mind. This is very important.

One more advise… Once you domain is ready, create policy to lockdown the right for all domain users to add workstation to the domain. This will allow you to manage your domain better. Smile

Hope my experience helps.

Advertisements
This entry was posted in Group Policy, Microsoft Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s