Best Practices

Use Group Policy in Preference to Windows NT 4.0 System Policy

System Policy is undesirably persistent from a Windows 2000 perspective. Group Policy is cleaned up and refreshed whenever policy changes.

Disable Unused Parts of a Group Policy Object

If you notice that under the User Configuration or Computer Configuration node of the console, a Group Policy object only has settings that are Not Configured , then you can avoid processing those settings by disabling the node. This expedites startup and the logon session for those users and computers subject to the Group Policy object.

Disabling both parts of a Group Policy object makes it behave as if it is not linked to any site, domain, or organizational unit, even though the links still exist.

Use the Block Policy Inheritance and No Override Features Sparingly

Routine use of these feature makes it difficult to troubleshoot policy.

Minimize the Number of Group Policy Objects Associated with Users in Domains or Organizational Units

The more Group Policy objects are applied to a user, the longer it takes to log on.

Filter Policy Based on Security Group Membership

Keep in mind that a Group Policy object will not apply to a user if the Read or Apply Group Policy access control entries (ACEs) are not set to Allow on security groups of which the user is a member. This is the mechanism by which policy can be prevented from applying to users (or computers) who would otherwise be subject to it either by links or by inheritance. It is a good, efficient mechanism, and the administrator can greatly expedite the logon and startup experiences of the users in his or her organization by exploiting it fully.

Override User-Based Group Policy with Computer-Based Group Policy Only When Necessary

Do this only if you need the desktop configuration to be the same regardless of which user logs on.

Avoid Cross-Domain Group Policy Object Assignments

The processing of Group Policy objects slows the logon session and startup if Group Policy is obtained from another domain.