|
Are we actually talking blocking
GPO inheritance, or ACL inheritance? If GPO I tend to agree with
Darren (as with anything on GPO J), as I don’t think
that any change in either the Default Domain or the Default Domain Controller policy
should be implemented without testing (so if blocking the GPO’s was setup
to “protect the DCs” it should give you more headaches than
benefits as you’d need to apply all policy settings from the domain policy
separately to the default DC policy). If ACLs on the OU, I wouldn’t
say it’s a big deal. All the ACLs required for the DCs to do their work
are set explicitly at the DC OU level. The inheritance really only matters for
the “pre-win2k compatible group” ACE, which is not required on the DC
OU (just happens to be set for inheritance from the root of the domain). Not
saying it’s a good idea to block ACL inheritance on this OU, but it doesn’t
hurt you. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia Well, the obvious effect is that it prevents domain-linked policies
from being delivered correctly, including password policy. This is probably not
desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN The company I am currently working for has “block
inheritance” enabled for the Domain Controller’s OU and apparently
whoever enabled this setting is no longer with the company (or they won’t
fess up to why they did this). Although I am curious, what sort of ramifications does
enabling “block inheritance” on the Domain Controller’s OU
pose? And what reason would you have to enable this setting on the Domain
Controller’s OU? With any other OU, it would be fairly obvious, but
being that these are the Domain Controllers it would seem to be a unique
situation. Thanks as always for your input, ~Ben |
- RE: [ActiveDir] Block Inheritance on DC OU Grillenmeier, Guido
- RE: [ActiveDir] Block Inheritance on DC OU Dave Wade
- RE: [ActiveDir] Block Inheritance on DC OU Derek Harris
- RE: [ActiveDir] Block Inheritance on DC OU Darren Mar-Elia
- Re: [ActiveDir] Block Inheritance on DC OU Paul Williams
- RE: [ActiveDir] Block Inheritance on DC OU Dave Wade
- Re: [ActiveDir] Block Inheritance on DC OU Kamlesh Parmar
- RE: [ActiveDir] Block Inheritance on DC OU Derek Harris
- RE: [ActiveDir] Block Inheritance on DC O... Darren Mar-Elia
- RE: [ActiveDir] Block Inheritance on ... joe
- RE: [ActiveDir] Block Inheritanc... Darren Mar-Elia
