Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.
Merge GPO Settings: How to Group Multiple Settings Together
If you’re an IT professional and want to merge GPO settings into a single object, you’ve come to the right place. Network administrators have to contend with different types of sprawl within their enterprises, such as server sprawl, VM sprawl, and storage sprawl. Group Policy administrators have to contend with their own particular type of sprawl: GPO sprawl.
Group Policy sprawl happens over time. A company incurs a dramatic growth period that results in an explosion of AD objects that need managing. Organizational changes often equate to changes in the OU architecture of the enterprise that affect GPO disbursement. Mergers and acquisitions can wreak havoc on a group policy environment, especially if the two companies used different approaches to making GPOs. Despite the best of intentions to adhere to a streamlined GPO design, GPO sprawl can proliferate over time.
The more GPOs you have, the more needlessly complex your environment can become. The more complex your environment is, the harder it is to troubleshoot it or even predict what the final policy results will be for a newly created GPO. Unless your GPOs have both intuitive names and descriptive comments, it can be time consuming trying to find the correct GPO to modify an existing setting configuration. Though some admins may be frustrated by their GP environments, some GP administrators just accept GPO sprawl as a cost to doing business because that is the way it’s always been done.
The good news is that it does not have to be that way. In the same way that there are benefits to simplifying and decluttering our daily lives, there are advantages to simplifying our GPOs as well. What’s more, the process of simplifying GPOs is quite simple, thanks to PolicyPak Group Policy Merge Tool. With PolicyPak, GPO sprawl doesn’t have to be a reality anymore. You can reduce your number of GPOs and the needless complexity they create.
If you want an overview of how to merge and reduce GPOs, check out this video.
Reduce and consolidate Group Policy Objects and Settings
The PolicyPak GPO Reduction and Transitions Pak manages complex environments in a way that eliminates sprawl and simplifies administration.
To Merge GPO Settings, Think Collections
Rather than create a GPO for every configured setting you want to deliver, think about your end game in terms of “collections.” Assuming that you have fully completed your Windows 10 migration and have a universal OS, you probably just have two primary computer targets, laptops and desktops.
If this is the case, you can make separate collections for laptops and desktops, then merge all of your relevant GPOs into a consolidated GPO using the two collections. Or, if you have different policy needs for different groups or different office sites, you can create one or more collections and then merge your GPOs using those collections.
The end result is a streamlined GPO environment that is easy to work with, troubleshoot, and manage. Another benefit is that you don’t have to structure your OUs for the sole purpose of accommodating GPOs. With collections and Item-Level Targeting, assigning specific settings to specific targets becomes automated.
PolicyPak Group Policy Merge Tool
If you want to merge GPO settings within your AD structure, the PolicyPak Group Policy Merge Tool makes it ridiculously simple. There is no need for complicated PowerShell scripts. You can point, click, and merge GPO settings easily. In the example below, we’ll show how simple the GPO setting merge and consolidation process can truly be. We will start by opening the Group Policy Merge Tool, which is free for all PolicyPak customers, and using it to merge our Group Policy Administrative Template Settings (see Figure 1).
Figure 1: Using the PolicyPak Group Policy Merge Tool.
We will then choose the GPO discovery process we want. For the sake of brevity, we will choose manual, as shown in Figure 2.
Figure 2: Choosing the GPO discovery process.
Simplify Group Policy
Too many GPOs means too many problems. Too many GPOs means longer login times and longer troubleshooting on the endpoint. If you have a lot of GPOs, you are not alone. Most companies have too many GPOs – they would like to have less and still have the same amount of security. The reason you have too many GPOs is that you need multiple GPOs for most OUs; some for general cases, and others for specific cases.
Here we’ll focus on Laptops as our collection target. We’ll select some settings specific to laptops, such as camera and Zoom settings (in this case we downloaded the Zoom ADMX templates). For added security, we’ll enable Device Guard. Then, we’ll choose those GPOs as the ones to merge (see Figure 3).
Figure 3: Selecting GPOs to merge.
The next step is to choose the desired settings located within our selected GPOs and then select or create a new GPO that will serve as the consolidated GPO. We’ll call this GPO “Consolidated Laptop Settings.” We then come to the step that only PolicyPak can provide, creating and designating collections. In this case, we’ll make a collection called “Laptop Stuff,” as shown in Figure 4.
Figure 4: Creating a new collection.
The magic of PolicyPak comes into play when we try to assign this new GPO to laptops only. If you have worked with Group Policy Preferences, then you are familiar with Item-Level Targeting. Unfortunately, you can’t use this feature within native Group Policy. PolicyPak, however, is able to use it for Administrative Template settings and most of our PolicyPak settings as well. In the example in Figure 5 below, we have used Item-Level Targeting to target “Portable Computers.”
Figure 5: Using the Targeting Editor to target portable computers.
Now let’s look at our “Consolidated Laptop Settings” GPO, as shown in Figure 6. On the left side is our “Laptop Stuff” collection and on the right are the settings we chose that are now targeted at laptop machines only. If we wanted, we could then assign this GPO to a higher level OU as it would only target laptops. There would be no need to granularly assign it to multiple GPOs at all levels.
Figure 6: Reviewing the settings in our newly created collection.
With this process, we consolidated three GPOs into one. We could just as easily have merged 30 GPOs or even 300.
We could also further merge GPOs that are desktop-related and put those into a collection called “Desktop Stuff.” Then, we could implement Item-Level Targeting for any Windows device that is not a portable computer (or, alternatively, target machines with the word “Desktop” within their computer name.) If we wanted to create collections according to different site locations, we could do so by IP address. We could also export our consolidated GPOs and deploy them to any MDM environment using PolicyPak MDM Edition. We could also deploy them to remote stand-alone machines using PolicyPak Cloud Edition. Using the super admin powers of PolicyPak, the possibilities are nearly limitless.
Consolidating and merging GPO settings is only a fraction of the things that PolicyPak is capable of. To find out what else PolicyPak can do, visit PolicyPak.com.