We also do a fair bit of consulting for shops that are overwhelmed by what they have in their Group Policy environments and just want someone with the experience to say, “this is good” or “this is bad”. Filtering: My advice to folks is always to link your GPOs as close to their intended targets as possible.To that end, we’ve developed a number of high-level guidelines and best practices that we like to apply when going into any new engagement, and I want to share some of these best practices here. This usually translates into linking to OUs rather than at the domain level.
Certainly it’s do-able, but it complicates and elongates things like troubleshooting.
The second reason–change control–is also pretty simple.
drive mappings, printer mappings, registry punches, etc.) then convert off those scripts as soon as you can.
Really the only remaining reason to use scripts in GP is for more complex logic than what you can get with GP Preferences and it’s Item-Level Targeting.
As I’ve blogged about before, it’s important to group synchronous policy areas like software installation and folder redirection together, and keep them separate from asynchronous extensions.