Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- From: "Chriss3 [MVP]" <removethis_christoffer.andersson@xxxxxxxxxx>
- Date: Tue, 27 Mar 2007 14:53:37 +0200
Hello.
Here is a detail to think about.. Using the Delegation Control wizard will allow read/write option to both gpLink and gpOptions. gpOptions allows to set block inheritance and by pass policies defined at a higher level, for example at the domain node.
--
Regards
Christoffer Andersson
Executive Consultant - TrueSec
Microsoft MVP - Directory Services
----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources
"Tariq Ziad" <TariqZiad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0A7A79E5-7A05-4CFA-BA47-1D61DA2D4A68@xxxxxxxxxxxxxxxx
Thanks Keshav for the reply.
I hope to get full list of all type of impacts of the health of Active
Directory, Domain Controllers, and member servers. If you have any comment
about risks or impacts in the two examples mentioned please go ahead
(examples can make things more easier).
"Keshav" wrote:
http://www.microsoft.com/technet/technetmag/issues/2006/05/GroupPolicy/?related=/technet/technetmag/issues/2006/05/GroupPolicy
http://technet2.microsoft.com/WindowsServer/en/library/53769684-2a36-46b2-8fd9-ae009b58306f1033.mspx?mfr=true
"Tariq Ziad" wrote:
> Dear All,
>
> I'd like to ask about the bad effects, impact on the health of active
> directory that could result from delegating control of group policy > creation,
> editing, linking on OU of Computers and Users OR on Site level to an > engineer
> who is only responsible for desktops and laptops (SUPPORT Engineer). I > mean
> he is responsible to every thing related to installing OS, Software, > and all
> kind of OS and Software settings for users( i.e. on there computers). > He is
> not responsible of dealing with any activity related to servers or > Active
> Directory.
> Active Directory is totally managed by a system engineer responsible > for AD,
> Exchange, and other print, share and application servers.
>
> Would it harm to delegate control of group policy on OU of computers > and
> users or on sites to SUPPORT Engineer since his area of responsibility > is
> desktops and laptops?? Would that have any effect on Servers and AD?
> I hope you lead me to Microsoft articles and documents related to this
> IMPACT subject.
>
> A small example:
> 1) if there is an OU that have 10 computer accounts and this SUPPORT
> Engineer has delegation of control to create group policies and link > them to
> this OU, then how would this harm Active Directory and Domain > Controllers.
> Also, I mean would creating a GPO and having it appearing in the active
> directory even without linking it to any container level (SITE, DOMAIN, > OU),
> would that have any harm on the domain container containing it??
>
> 2) if there is a site that have computers and servers and this SUPPORT
> Engineer has delegation of control to create group policies and link > them to
> this Site, then how would this harm Active Directory, Domain > Controllers, and
> Servers. How could servers be excluded from any group policy applied on > the
> site level, i.e could block inheritance help if these servers are > included in
> an OU?
>
> Regards,
> Tariq Ziad
.
- Follow-Ups:
- Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- From: Tariq Ziad
- Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- Prev by Date: Re: How do I reset access rights to use/view ADUC?
- Next by Date: Re: new DC created
- Previous by thread: Active Directory - Remote Web server
- Next by thread: Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- Index(es):
Relevant Pages
|
Loading
