So, you want to set permissions using a GPO? Cool. But before you do it is important to understand how permissions are applied using a GPO, and the effects this can have on your environment.
I’m going to keep this short but sweet.
When you apply a new GPO to an OU, each computer that gets the GPO will process it during its normal refresh interval. When this is the same for all GPOs. The thing is, with permissions, every 16 hours (plus a random 30 minute offset) each computer will do a “full refresh” (that’s my own parlance) in which every ACL affected by the GPO will be fully overwritten by the setting in the GPO. If the GPO only controls the ACL for one folder or registry key then this isn’t a big deal. When you start hitting lots of folders, or a deep folder structure then what you end up with his high CPU utilization and lots of disk writes as the folders and keys are enumerated and the ACLs written to disk.
Also, if you are doing patching or some other regular maintenance on your computers that requires a reboot then you really need to watch out. This is because if you reboot them all right around the same time then they will all process the GPO at the same 16 hour interval, with the only difference being the random offset. In the case of an application farm it is quite possible to see every server in the farm experience slowness at nearly the same time, and that’s not a pretty thing.
So, use GPOs to apply ACL controls if you’d like, but test, and monitor the systems to be sure they can handle the additional load.