GPOZaurr and other tools help you with consolidation in the short-to-medium term, but as you move forward, there are other changes you can make that will make things much simpler and easier to manage. To make a significant difference to these user KPIs, there are two areas that must be concentrated on—folder redirection and loopback policy processing. This is my third post in my series about Group Policy consolidation.

James is a consultant from the UK, specializing mainly in end-user computing, Active Directory and client-side monitoring. When not consulting for james-rankin.com, he can often be found blogging, writing technical articles and speaking at conferences and user groups.

Loopback policy processing ^

Loopback policy processing is key because this is often set to "Merge" mode. While this allows curated settings to be deployed to user sessions based around both their Computer and User Config settings, it also means that user Group Policy is processed in two "passes," effectively increasing the processing time. Ideally, the goal for the long term should be to switch to "Replace" mode. While this may mean duplication of some active GPOs, it will make a significant difference in processing time, requiring only one "pass" to apply the settings.

Folder Redirection ^

Folder Redirection is key because it is one of the few client side extensions within Group Policy that still requires "synchronous" processing, and it is very common to find it in use in enterprises. If the Folder Redirection CSE is used, it forces the user into synchronous processing mode. If the CSE is not used (and the functionality of Folder Redirection can be mostly replaced by GPP Registry items instead), then it is possible to use "asynchronous" processing, which is considerably faster (usually about 40–50%). Ideally, the long-term goal should be to replace the Folder Redirection CSE with either OneDrive or Registry items, and enable asynchronous processing mode globally.

Significant investigation and planning are required to achieve these goals, but together they will make an appreciable difference to the user experience and associated KPIs.

Monthly cleanup tasks ^

It's also important not to let our GPOs get in this sorry state in the future. Implementing monthly cleanup tasks using GPOZaurr and other tools is a great idea and ensures that GPOs are managed properly rather than left to fester. Here are some suggestions for monthly cleanup tasks; you can probably add more for your own environments:

Produce up-to-date GPO reports (GPOZaurr)

Verify GPOs that have been disabled for over 30 days, raise change to delete/archive
Verify GPOs that are unlinked, raise change to disable
Verify GPOs that are empty, raise change to disable
Verify GPOs without apply permissions, raise change to disable

Produce GPO content reports (GPOZaurr/Policy Analyzer/manual review)

Verify GPOs with invalid security filters, raise change to disable
Verify GPOs with redundant settings, raise change to remove content
Verify content that needs review (e.g., drive mappings report), raise change to remove content

Invalid security filters

Produce GPO permission reports (GPOZaurr)

Check permissions are valid, raise change to rectify if necessary

Produce GPO access reports (AGPMC)

Check logs of GPO changes and access

Summary ^

GPOs are a technology that may not be around forever but that many people already have a huge investment in. To consolidate the existing implementation so it's easier to manage, or prepare to migrate to more modern management techniques, or even both, it is very important to come to grips with the estate and ensure you have both visibility and well-defined processes.

GPOZaurr is a great tool. Combining it with the PowerShell cmdlets and Policy Analyzer gives you a holistic, detailed view of your Group Policy Objects, which you were probably lacking previously. With this data in hand, you can make a real, appreciable difference to the size, efficiency, and management scope of your GP implementation.