This section presents several models of GPO design. These examples are not intended as guidelines, but they do illustrate various ways to approach GPO design. In most corporate environments,
administrators may use a combination of these or similar models, tailored to their business requirements.
The key overriding approaches are either functional or geographic models. The rest are usually variants of those.
Layered GPO Design Model
The objective of this design model is to create GPOs based on a layered approach. This approach optimizes maintenance of GPOs and facilitates delegation.
The following graphic illustrates an example of this model.
Accounting
Sales Finance
Payroll
Agent Direct
Accounting GPO contains: accounts policy
scripts policy security settings GPOs
Payroll GPO contains: software installation policy
printers policy
Sales GPO contains: software installation policy
Direct GPO contains: software installation policy
Monolithic GPO Design Model
The objective of this design is to create GPOs based on a monolithic design—an approach that reduces the number of GPOs that apply to a user and/or computer but may not be optimal for delegation. The following graphic illustrates an example of the monolithic GPO model.
Washington Spokane Bellingham Seattle Washington GPO GPOs Seattle GPO Bellingham GPO
Monolithic GPO model
Domain GPO contains: all corporate policy settings
Single Policy Type GPO Design Model
The objective of this design is to create GPOs that deliver a single type of Group Policy, for example, policy for security settings. Such a design optimizes separation of duties for administrators; however, it may increase the number of GPOs that are applied to a given user or computer.
Each GPO delivers only one type of policy (security GPOs are different from script Group Policy objects, for example). Large corporations often create separate administrator groups based on administrative duties; this scenario would be useful in such corporate environments.
The following graphic illustrates an example of the single policy type GPO model.
Accounting
Sales Finance
Payroll
Agent Direct
Accounting Software GPO contains: accounting software installation
settings GPOs
Payroll Security GPO contains: payroll security settings
Agent Applications GPO contains: agent software installation
settings
Single Policy GPO Model
Domain Scripts GPO contains: only domain scripts
Domain Security GPO contains: only security settings
Multiple Policy Types GPO Design Model
The objective of this design is to create GPOs that deliver multiple types of policy. This is a hybrid of the single policy and monolithic models. Each GPO delivers several types of policy settings.
For example, you can create a GPO that includes Group Policy settings for software settings and application deployment and create another GPO that includes security and scripts settings, and so on. A GPO design that supports multiple policy types is useful in delegating administration environments and can reduce the number of GPOs that apply to a user and/or computer.
The following graphic illustrates an example of the multiple policy types GPO model.
Accounting
Sales Finance
Payroll
Agent Direct
Accounting GPO contains: software installation policy
disk quota policy GPOs
Multiple Policy Types GPO
Domain Policy GPO contains: accounts policy
scripts policy security policy
Teams or Matrix Organizations GPO Model
This model applies to organizations that leverage the virtual team concept. Individuals within the organization form teams to perform a task or project and each individual is a member of multiple teams. Each team has specific Group Policy requirements. The organizational unit architecture does not reflect the team structure. This model works by using security filtering.
The following graphic illustrates an example of the team GPO design model.
Accounting
Sales Finance
Payroll
GPOs
Team GPO Model
Audit Committee GPO Domain Policy GPO
The Audit Committee GPO is applied to the Accounting OU. To filter the GPO effects, access permissions are
removed for everyone except the Audit Committee Global Group. The
Audit Committee consists of users with accounts in the Accounting,
Public Computing Environment GPO Model
This scenario applies to environments were you want the computer Group Policy settings to always have precedence over the user Group Policy settings. This scenario is useful for training classes and kiosk-type environments in which you want to provide the same desktop environment regardless of which user logs on to the computer.
The following graphic illustrates an example of the GPO design for a public computing environment. The loopback policy feature with Replace mode is used in this example. See Group Policy Loopback Support in this document for more information.
Normal Group Policy processing specifies that users in the Sales organizational unit get these GPOs: Domain Policy GPO, Accounting GPO, and Sales GPO. With the loopback policy enabled in Replace
mode, when users from the Sales organizational unit log on to a computer in the Kiosks organizational
unit, the user will process only these GPOs: Domain Policy GPO, Accounting GPO, Resources GPO, and Kiosks Loopback Policy GPO—the users’ list of GPOs is not gathered in this case. More
specifically, the user settings specified in the Kiosks organizational unit (and those inherited) are the only GPOs processed for the user logging onto computers in that organizational unit. Those in the Users organizational unit tree are not processed.
Delegation with Central Control
This model applies to organizations that choose to delegate administration of GPOs, but would like to enforce certain Group Policy settings throughout the domain (for example, specific security policy
Accounting Sales Finance Payroll Sales GPO GPOs
Public Computing Environment GPO Model
Accounting GPO Domain Policy GPO
Desktops Kiosks
Kiosks Loopback Policy GPO:
User policy settings based on the user object location are ignored.
ONLY the user policy settings in the GPOs linked to the Computer object location will be applied.
This approach ensures that the same desktop configuration is applied regardless of which user logs on to the computer. Resources
settings).
The following graphic illustrates an example of GPO delegation with centralized control, and use of the
Enforce option.
Delegation with Distributed Control
This scenario applies to organizations that want to allow administrators of organizational units to prevent Group Policy settings from being applied to their organizational unit. Administrators of an organizational unit can block Group Policy settings that have been assigned at higher levels in the hierarchy from applying to his or her organizational unit. However, administrators cannot block Group Policy settings that are marked as Enforce.
This feature allows organizations to minimize the number of domains without sacrificing autonomy.
Accounting
GPOs
Payroll GPO
Finance GPO
Delegation with central control
Domain1 GPO contains: Change Password
No Override
Sales Finance
Payroll
Domain2 GPO contains: Logon Hours: 7 a.m. - 7 p.m.