Re: Local Machine vs. Domain Group Policy

To offer a counter viewpoint to some of those expressed, I have in the past and wouldn't be surprised in the future to have the same viewpoint of your admin. Lots of people like to think that GPOs are the panacea and they quite frankly are not, I have had to deal with mad levels of issues with GPOs over the years. In a single TS Server environment or even one with 40 I wouldn't hesitate to tell you to use local settings versus slapping a ton of new policies in the directory that I now have to make sure replicate properly and work.

I absolutely WOULD not give you full control over an OU. At best I might allow you to create a machine account but most likely I wouldn't even do that and instead create machine accounts and allow you to join them.

These are things I did in a Fortune 5 company and they worked very well. We had TS servers all over the world and not a single GPO specific to them. There were only 6 user GPOs and 6 Workstation GPOs and then the two builtin GPOs. Everything else was managed and managed well with local security policy.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



mg wrote:
I want our network admin to create an OU for Terminal Services and give me admin rights to it so I can create a "lockdown" GPO, link it to the OU and add a Terminal Server computer to this OU. The new GPO would include a deny apply exception for administrator accounts. This is a best practices approach for Terminal Services.

Our network admin does not want to create an OU and give me rights to it. Instead he wants me to create group policies on the local machine. Since we only have one TS at this time, I agreed. But is this approach feasable?

I've got Group Policy Management Console with admin rights on the Terminal Server and I can see domain level group policy objects. Can I create a new GPO using GPMC and link it to to a local machine? I understand how to use gpedit.msc on the local machine, but in that tool I don't know how to create "deny apply" exceptions for admin accounts.

.

Relevant Pages

  • Re: exdeploy dsscopescan problem
    ... it is a small lab testing setup so it is very simple - one wins dns server ... resolve machine names and domain names backwards and forwards and, ... >> service admin rights to all exchange site and configuration levels and to ... >> usrmgr on the local machine, the account in the administrators group says ...
    (microsoft.public.exchange.setup)
  • Re: When is an Admin not an Admin?
    ... I made sure I was in Domain Admins on the W2K server, ... server and local machine policies, but I still can't find anything that's ... > admin rights on the local machine. ... > are local Administrators but the domain Administrators group ...
    (microsoft.public.windowsxp.security_admin)
  • Re: AD and policies affecting User
    ... your settings there rather than in either of the default GPOs ... do want unavailable to the machine local admin. ... Microsoft MVP (Windows Server System: ...
    (microsoft.public.windows.group_policy)
  • Re: Local Machine vs. Domain Group Policy
    ... The new GPO would include a deny apply exception for administrator accounts. ... Our network admin does not want to create an OU and give me rights to it. ... Second is manageability - what if You will have second or third TS server? ... Can I create a new GPO using GPMC and link it to to a local machine? ...
    (microsoft.public.win2000.active_directory)
  • Re: Security event after AD installation
    ... Check for all the Terminal Services GPOs that are currently applying to your DC and Domain. ... You're onto something here, I've just noticed that the event is only logged when I remote desktop into the server, I'm not sure how to correct this though - any pointers gratefully received. ... "Augusto Alvarez" wrote in message ...
    (microsoft.public.windows.server.setup)