- Consolidating Group Policy, part 3: Loopback policy processing and folder redirection - Wed, Aug 25 2021
- Consolidating Group Policy, part 2: GPOZaurr - Thu, Aug 19 2021
- Consolidating Group Policy, part 1: Get-GpoReport and Advanced Group Policy Management (AGMC) - Wed, Aug 18 2021
Loopback policy processing ^
Loopback policy processing is key because this is often set to "Merge" mode. While this allows curated settings to be deployed to user sessions based around both their Computer and User Config settings, it also means that user Group Policy is processed in two "passes," effectively increasing the processing time. Ideally, the goal for the long term should be to switch to "Replace" mode. While this may mean duplication of some active GPOs, it will make a significant difference in processing time, requiring only one "pass" to apply the settings.
Folder Redirection ^
Folder Redirection is key because it is one of the few client side extensions within Group Policy that still requires "synchronous" processing, and it is very common to find it in use in enterprises. If the Folder Redirection CSE is used, it forces the user into synchronous processing mode. If the CSE is not used (and the functionality of Folder Redirection can be mostly replaced by GPP Registry items instead), then it is possible to use "asynchronous" processing, which is considerably faster (usually about 40–50%). Ideally, the long-term goal should be to replace the Folder Redirection CSE with either OneDrive or Registry items, and enable asynchronous processing mode globally.
Significant investigation and planning are required to achieve these goals, but together they will make an appreciable difference to the user experience and associated KPIs.
Monthly cleanup tasks ^
It's also important not to let our GPOs get in this sorry state in the future. Implementing monthly cleanup tasks using GPOZaurr and other tools is a great idea and ensures that GPOs are managed properly rather than left to fester. Here are some suggestions for monthly cleanup tasks; you can probably add more for your own environments:
Produce up-to-date GPO reports (GPOZaurr)
- Verify GPOs that have been disabled for over 30 days, raise change to delete/archive
- Verify GPOs that are unlinked, raise change to disable
- Verify GPOs that are empty, raise change to disable
- Verify GPOs without apply permissions, raise change to disable
Produce GPO content reports (GPOZaurr/Policy Analyzer/manual review)
- Verify GPOs with invalid security filters, raise change to disable
- Verify GPOs with redundant settings, raise change to remove content
- Verify content that needs review (e.g., drive mappings report), raise change to remove content
Invalid security filters
Produce GPO permission reports (GPOZaurr)
- Check permissions are valid, raise change to rectify if necessary
Produce GPO access reports (AGPMC)
- Check logs of GPO changes and access
Summary ^
GPOs are a technology that may not be around forever but that many people already have a huge investment in. To consolidate the existing implementation so it's easier to manage, or prepare to migrate to more modern management techniques, or even both, it is very important to come to grips with the estate and ensure you have both visibility and well-defined processes.
GPOZaurr is a great tool. Combining it with the PowerShell cmdlets and Policy Analyzer gives you a holistic, detailed view of your Group Policy Objects, which you were probably lacking previously. With this data in hand, you can make a real, appreciable difference to the size, efficiency, and management scope of your GP implementation.
