Apply GPOs to the desktop image, or directly to the hosts?

Looking for some general guidance on best practices here. 

I have some baseline settings I am looking to apply to session host's via GPO. Currently, I have created a GPO via the AADDS management VM and applied it to the desktop image VM. That works fine, policies are showing on the desktop image VM and therefore when I re-image my hosts they get those same settings. The hosts are scheduled to re-image every night.

Is that the correct way to do this? Or should I keep the desktop image VM off the domain, and only apply the GPO's directly to the hosts? I guess it does not really matter that much at the end of the day, unless I'm missing something. I could always create another GPO linked only to specific host's if I want them to have settings applied that the others don't.


Comments (3 comments)

Dave Stephenson

I've always been told that it's "best practice" to never join an image to a domain so it can be "pure" or "golden".
Granted, I'm "old school" and remember creating client-agnostic images to deploy to any computer and customize it from there.
Even if we did have a custom image for a client, we wouldn't join it to the domain until the image was deployed to help minimize the number of anomalies/gremlins that could creep up.

Marcos Artiaga

Agreed with Dave. I would create an OU specifically for your AVD session hosts, configure Nerdio to deploy hosts to that OU, then apply your GPO policies that are specific to AVD to that OU.

Travis Lamming

I will tell you that joining windows 11 desktop images to the domain has created problems for us, so now we just leave it off. I dont apply GPO to the image, just the session hosts. I mirror the above, I have created my own OU for the AVD session hosts.


Please sign in to leave a comment.