it works fine for normal computers or servers, when configured correctly.
most errors I've seen where related to the ACLs on the GPO - if you just want the GPO to apply to a specific set of computers, you need to remove "Authenticated Users" from the ACL and instead grant read permissions for the securitygroup which you've added the respective computer accounts to. now for GPOs on DCs it's a different story, since they need various permissions to replicate and do RSOP etc. on the GPOs - so removing Authenticated Users won't help much. In this case I've also used sub-OUs underneath the Domain Controllers OU, placed DCs into the correct sub-OU and then set applied whatever GPOs to it. Naturally, you have to be careful when doing so not to overwrite critical settings which should be the same for all DCs. That's likely one of the reasons why sub-OUs for DCs are an ongoing supportability discussion at MS - depending on who you ask it's supported or not... I don't have a "final" statement myself, however DCDIAG in 2003 no longer considers placement of a DC in a sub-OU underneath the Domain Controllers OU an error or warning (as it did in 2000). /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 3:11 PM To: [email protected] Cc: [email protected]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Netlogon Polocies in W2K3 AD GP Hi Ken I do not think group based security filtering works on computers - we never got it to work anyways, although we only tried it once. Anybody have a definitive answer on this that goes beyond I think? Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] "Ken Cornetet" <[EMAIL PROTECTED] To: <[email protected]> om> cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] Netlogon Polocies in W2K3 AD GP [EMAIL PROTECTED] tivedir.org 02/01/2005 09:04 AM EST Please respond to ActiveDir Can't you use groups to realize your "dream world"? Have groups for fastlink, hub, slow dc, etc, and use security filtering on the GPOs -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 8:34 AM To: [email protected] Cc: [email protected]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Netlogon Polocies in W2K3 AD GP Hi Chandra We played with it a little bit in our test lab. Definately an improvement over making registry changes to force DCs to change SRV records (we did that in one domain with 15 DCs to make the main office the secondary site in case the onsite DC was down and it was a fair bit of work to change and keep track of). We did conclude that in order to make the GPO work you need to put separate OUs inside your Domain Controller OU - and only apply the settings on each OU. For instance, one of the settings is Priority setting - with the lowest priority being the first one that DNS will provide in the authentication lookup. Changing that for all DCs does not change anything. Raising that value for all DCs except the one at your hub site will force your hub site to the second choice for authentication after the DC within the site. We never checked to see how long it would take the changes to propogate out - we forced things by updating the GPO on the server, removing all the SRV records and forcing record reregistration to make the changes. One other thing we found that adds to the hassle a little bit - not only do universal changes require that you use OUs to separate your Domain Controllers, the settings can only be applied either via. registry or via. GPO. There is a setting to let the DC ignore the GPO but it ignores all settings in the GPO. That being said, we are looking to use parts of the GPO in our live forest shortly to control authentication in the other regions. In a perfect world, I would love it if you could find a way to set theses settings on a less global basis. Perhaps WMI filtering allows that, I have not played with that much. In my dream world, I would be able to say any DC that is designated a hub gets these settings, any DC that is designated a fast link gets these settings, any DC that is designated a slow link gets these settings, and any DC that starts with M gets these settings - and not have these be mutually exclusive (in essence a DC could get the hub, fast link, slow DC and starts with M settings all at the same time). I gripe less when the coffee supply is greater. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Chandra Burra <[EMAIL PROTECTED] To: [email protected] m> cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: [ActiveDir] Netlogon Polocies in W2K3 AD GP [EMAIL PROTECTED] tivedir.org 02/01/2005 07:49 AM EST Please respond to ActiveDir All, Just wondering if some one has worked on the Netlogon policies in the W2K3 GP (system.adm) This have options to specify the site - DC srv records and so on.... just was going through them...Can some one highlight on specifically tested and used. Thanks, Chandra List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
