Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- From: Tariq Ziad <TariqZiad@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Mar 2007 22:06:02 -0700
Hello Chriss
Thanks for your note.
Actually, I hope you will read my reply on Jorge dated 3/25/2007.
I am the SUPPORT Engineer, and the SYSTEM Engineer is claiming that AD
health will be impacted if I was delegated Group Policy control...
Hope to get you advice and clarification from AD health point of view.
Also, one point we tried before and caused problems which finally lead to
deciding not to delegate GP control. I was delegated control of GP on site
level, while Servers was moved to an OU and Block Inherenence was set on that
OU. Any GP linked to the site were serers exist was taking effect on them
even thow bloack inheretence is configured. I used WMi filters to apply GP
only on windows 2000 and XP computers, but you know this way servers will be
affected by the Gp any time I miss to use the filter!!! So, why Block
inherenence was not working (I was not using GP enforce option at all!!)
Regards,
Tariq Ziad
"Chriss3 [MVP]" wrote:
Hello..
Here is a detail to think about.. Using the Delegation Control wizard will
allow read/write option to both gpLink and gpOptions. gpOptions allows to
set block inheritance and by pass policies defined at a higher level, for
example at the domain node.
--
Regards
Christoffer Andersson
Executive Consultant - TrueSec
Microsoft MVP - Directory Services
----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources
"Tariq Ziad" <TariqZiad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0A7A79E5-7A05-4CFA-BA47-1D61DA2D4A68@xxxxxxxxxxxxxxxx
Thanks Keshav for the reply.
I hope to get full list of all type of impacts of the health of Active
Directory, Domain Controllers, and member servers. If you have any comment
about risks or impacts in the two examples mentioned please go ahead
(examples can make things more easier).
"Keshav" wrote:
http://www.microsoft.com/technet/technetmag/issues/2006/05/GroupPolicy/?related=/technet/technetmag/issues/2006/05/GroupPolicy
http://technet2.microsoft.com/WindowsServer/en/library/53769684-2a36-46b2-8fd9-ae009b58306f1033.mspx?mfr=true
"Tariq Ziad" wrote:
Dear All,
I'd like to ask about the bad effects, impact on the health of active
directory that could result from delegating control of group policy
creation,
editing, linking on OU of Computers and Users OR on Site level to an
engineer
who is only responsible for desktops and laptops (SUPPORT Engineer). I
mean
he is responsible to every thing related to installing OS, Software,
and all
kind of OS and Software settings for users( i.e. on there computers).
He is
not responsible of dealing with any activity related to servers or
Active
Directory.
Active Directory is totally managed by a system engineer responsible
for AD,
Exchange, and other print, share and application servers.
Would it harm to delegate control of group policy on OU of computers
and
users or on sites to SUPPORT Engineer since his area of responsibility
is
desktops and laptops?? Would that have any effect on Servers and AD?
I hope you lead me to Microsoft articles and documents related to this
IMPACT subject.
A small example:
1) if there is an OU that have 10 computer accounts and this SUPPORT
Engineer has delegation of control to create group policies and link
them to
this OU, then how would this harm Active Directory and Domain
Controllers.
Also, I mean would creating a GPO and having it appearing in the active
directory even without linking it to any container level (SITE, DOMAIN,
OU),
would that have any harm on the domain container containing it??
2) if there is a site that have computers and servers and this SUPPORT
Engineer has delegation of control to create group policies and link
them to
this Site, then how would this harm Active Directory, Domain
Controllers, and
Servers. How could servers be excluded from any group policy applied on
the
site level, i.e could block inheritance help if these servers are
included in
an OU?
Regards,
Tariq Ziad
- References:
- Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- From: Chriss3 [MVP]
- Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- Prev by Date: Re: Cant Access Network Resources. Clock Sync errors
- Next by Date: Re: ADFS
- Previous by thread: Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
- Next by thread: How to read entryTTL attribute of dynamicObject
- Index(es):
Relevant Pages
|
