I hear you joe. I think it depends upon the environment and
its goals. I'm generally against implicit stuff like blocking flags because its
hard for people to troubleshoot. I'm also not terribly thrilled with the notion,
in large environments, of having to manage 10s or 100s of gplinks and their
attendant flags (enabled, disabled, enforced) separately when the target is the
entire domain anyway, esp. if you have lots of nested OUs because then you have
to expect people to make consistent decisions about where in the hierarchy they
need to link, and over time, it just gets messy. But frankly security group
filtering can suffer the same complexity problems and groups are probably less
well maintained than OU structure in most orgs. I think security group filtering
is best used as an exception mechanism rather than a normal course of things. As
an exception mechanism, I tend to prefer it over blocking or enforcing.
d.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 15, 2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU
For a point / counter point kind of discussion. I am
against, generally speaking[1], group filtering on GPOs as I have seen it go
horribly wrong[2] and would rather look at putting the links on the OUs. I don't
find that to be a particularly painful task, especially considering that I
usually push for a very fixed OU structure such that when a new site or what not
is spun up, there is a script that sets the entire OU structure up including
needed admin groups, any delegation, and any gPLinks.
joe
[1] Meaning I am not absolutely against it but it needs to
be a great reason. Say something for auto deploying certs and you have no
matching OU structure for the deployment you want to implement.
[2] Once saw an ACL reset on GPOs when a script that
worked perfectly in the lab blew up in production and the resultant set of
policies was a completely locked down kiosk that was applied to
hundreds of thousands of users and machines (both workstations and servers)
across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the
fallout was not 100% but mostly only on the west coast of the US and
Australia/New Zealand. Nope, I didn't write the script. ;o) I have seen
lesser issues and heard of some other folks who have run into some fun with
them.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, September 15, 2006 6:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU
Yes, but there are times when you want to affect all
machines or users in a domain and its a pain to have to link those policies to
every OU. Domain-linked GPOs are useful but you do have to be explicitly aware
of what you're targeting. That's why I like using explicit security group
filtering rather than implicit blocking or enforcing. Its easier to troubleshoot
(esp. on Win2K without RSOP).
Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Friday, September 15, 2006 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Block Inheritance on DC OU
It seems to me that a better solution is to only put the
password policy into the default domain GPO, and create a separate GPO for any
other settings to apply to the OUs.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Friday, September 15, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Block Inheritance on DC OU
So they didn't wanted many of those GPOs to be applied to domain controllers.
Above that, they have "block inheritance" enabled at various sub-OU levels.
So only thing we could come up with to achieve what we wanted was to.
1) Block policy at DC OU
2) Create Password Policy at Domain level and enforce it.
This helped for keeping a consistent password policy across all OUs and Domain.
And also "saving" DCs from domain level general purpose GPOs.
Long term, soln is to rethink the OU structure.
Kamlesh
On 9/13/06, Darren
Mar-Elia <[EMAIL PROTECTED]>
wrote:
Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful.Darren
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OUThe company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this).
Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation.
Thanks as always for your input,
~Ben
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~