Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- From: Tariq Ziad <TariqZiad@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Mar 2007 16:22:46 -0700
Dear Jorge,
Thanks a lot for your reply. Really Appreciated.
There is two areas of EFFECTs:
1) GPOs applied on DCs and Servers
2) Health of active Directory and DCs since unSYSTEM Engineer is having
control to some part of Active Directory (Group Policy Creation, editing and
linking on OU of client computers)
Actually my MAIN CONCERN is that how would delegating control of Group
Policy to SUPPORT Engineer affect health of active directory??
I mean, it is clear for me what the scope of Group Policy Object would be.
In the OU and SITE examples, I know that it would affect all what that OU or
SITE contains. In the SITE example I was meaning to get the advice regarding
block inheritance using OU for Servers. So, I hope that it is clear that I am
not talking about the IMPACT or EFFECT from the point of SETTINGS THAT WILL
TAKE PLACE.
What I need is to get an answer to the question: The Group Policy Object is
created in the Active Directory, on one of the DCs. Then this GPO is being
replicated to other DCs, which could be in same site or other sites. Would
this GPO do any harm on Domain Controllers?? Would the GPO cause any harm to
the network because of the replication between DCs (in same site, and in
different sites)?? Would this GPO affect the network health or DC health
while client computer is pulling it from the DC??
Suppose that I am the SUPPORT Engineer and you are the SYSTEM Engineer. I
clarified to you what I am responsible of (everything related to clients).
So, as per this responsibility, I requested from you to delegate control of
Group Policy to OU of clients.
I am an MCSE and as per my knowledge if you gave the proper delegation to
only this OU of clients, then GPOs that I will create will only be applied on
the clients computers, i.e. it will not be applied on servers or DC. Also, as
per my knowledge this GPO is not some thing that would harm (I mean affect
the health) or have side effect on Active Directory. So, would you delegate
control of group policy (create, edit, and link) on this OU to me or there is
any reason not to delegate??
It is clear that I would apply something wrong to group of clients which
would harm clients, but if I applied any thing wrong to clients, then it is
my area responsibility. I am getting my Senior Support Engineer approval
before applying any GPO to client computers.
I am facing exactly this in my environment. So, if there is any reason not
to delegate CREATING and LINKING, OR to refuse even delegation of EDITING
then hope you would clarify to me. (You mentioned before that you would only
delegate editing. Why is that??)
Regards and Thanks
"Jorge de Almeida Pinto [MVP - DS]" wrote:
on specific OUs --> he/she only has impact on whatever is in that OU.
on specific AD sites --> he/she only has impact on whatever is in that
site... and that can be ANYTHING like client, servers and even DCs. this one
I would not delegate
I would only allow editing EXISTING GPOs and not allow the creation of GPOs
and linking to whatever
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Tariq Ziad" <TariqZiad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:038969A1-C152-4E3F-94C7-6C59F0C35548@xxxxxxxxxxxxxxxx
Dear All,
I'd like to ask about the bad effects, impact on the health of active
directory that could result from delegating control of group policy
creation,
editing, linking on OU of Computers and Users OR on Site level to an
engineer
who is only responsible for desktops and laptops (SUPPORT Engineer). I
mean
he is responsible to every thing related to installing OS, Software, and
all
kind of OS and Software settings for users( i.e. on there computers). He
is
not responsible of dealing with any activity related to servers or Active
Directory.
Active Directory is totally managed by a system engineer responsible for
AD,
Exchange, and other print, share and application servers.
Would it harm to delegate control of group policy on OU of computers and
users or on sites to SUPPORT Engineer since his area of responsibility is
desktops and laptops?? Would that have any effect on Servers and AD?
I hope you lead me to Microsoft articles and documents related to this
IMPACT subject.
A small example:
1) if there is an OU that have 10 computer accounts and this SUPPORT
Engineer has delegation of control to create group policies and link them
to
this OU, then how would this harm Active Directory and Domain Controllers.
Also, I mean would creating a GPO and having it appearing in the active
directory even without linking it to any container level (SITE, DOMAIN,
OU),
would that have any harm on the domain container containing it??
2) if there is a site that have computers and servers and this SUPPORT
Engineer has delegation of control to create group policies and link them
to
this Site, then how would this harm Active Directory, Domain Controllers,
and
Servers. How could servers be excluded from any group policy applied on
the
site level, i.e could block inheritance help if these servers are included
in
an OU?
Regards,
Tariq Ziad
- References:
- Re: IMPACT of (Delegation Control of Group Policy) on Active Directory
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: IMPACT of (Delegation Control of Group Policy) on Active Directory
- Prev by Date: Re: Find User Last Logon
- Next by Date: Re: DHCP Redundancy
- Previous by thread: Re: IMPACT of (Delegation Control of Group Policy) on Active Directory
- Next by thread: trust weirdness
- Index(es):
Relevant Pages
|
