Naming your GPOs

You can name your GPOs however you want, but the mindset you take when deciding on those names could benefit or harm your Group Policy environment down the road. In the beginning stages of a fresh Active Directory installation, it is quite easy to find anything inside Group Policy, and you will generally remember offhand where you placed all of your policies. The larger you grow, the more difficult it will become to distinguish between them and track back to changes you made months or even years ago.

There are two typical mindsets that I often see in the wild. They are quite different. The first is to name GPOs according to the places where they will be applying. In this instance, you will see GPO names such as "HR Department Settings" and "Accounting Computer Lockdown Policy". While these aren't terrible names, going this direction generally means that each of your GPOs is a culmination of all kinds of different settings. They may all work together in order to define security for your devices, but these GPOs will generally be quite large and have many settings, which means they will be more difficult and dangerous to make changes to in the future.

The second mindset, which I am in much larger agreement with, is to keep minimal settings inside each GPO, and simply have many more GPOs. In this case, you will see GPO names more like "Disable IPv6", "Set the idle lockout policy to 2 minutes", and "Set Teredo to EnterpriseClient status". As you can see, each of these names is quite specific, and that may mean that you only have one policy setting inside each of the GPOs. This certainly means that you will be creating many GPOs where in the alternative mindset you may get away with putting all of these settings into a single GPO, but having them separated like this makes GPOs very easy to identify, and means that you can be extremely flexible with the placement of these policies. For example, if you need to set the idle lockout policy on both HR and Accounting computers, you simply link that one GPO to both OUs for those groups, whereas if you had a single GPO for each department, you would now have to modify both of those production GPOs in order to include this setting, which doesn't give you much room for error. If you mess something up, it messes it up for all of those computers.

Configuring many GPOs that all have a very limited number of settings also gives you more flexibility should the day ever come that you need to disable or delete GPOs. You can much more easily remove individual settings without the potential to wreak havoc on your workstations.