Design your domain and OU structure to use as few GPOs as possible. The more GPOs you use, the:
Slower logons may become
More network traffic is generated
Greater the chance of conflict between settings in different GPOs, causing unpredictable results
More difficult it is to troubleshoot problems associated with GPOs
Keep the number of GPOs that are applied to a given user account small (two or three, usually). It is generally better to merge policy settings from several GPOs into a single GPO whenever possible to speed up the process by which GPOs are applied and refreshed.
Link each GPO you create to only a single site, domain, or OU. GPOs linked to several domains or sites can significantly slow logons, and linked GPOs generally make it difficult to troubleshoot GPO problems when they occur.
Use blocking when you have a special group of users or computers that needs unique Group Policy settings in your site, domain, or OU.
Use forcing sparingly, and then only for containers high up in the Active Directory hierarchy and for GPO settings that are critical throughout the enterprise, such as security settings.
Try not to use GPO filtering since this makes troubleshooting Group Policy problems complex. Create an additional GPO instead of filtering an existing one.
Disable the User or Computer Configuration portion of a GPO if it is not needed. This speeds up processing.
Use the default security templates included in WS2003 as a starting point for configuring ...