Agreed, And I don't believe somehow policies become easier to troubleshoot with exclusions, specially in a very large environment with high level of delegation coupled with varying level of skill sets.
In fact the way "Enforced" or "Block Policy" are visually marked in GPMC console, I wish there was
something to visually point at particular policy with explicit exclusions. or it would have been easier if they had
given another Area on Scope tab between "security filtering" and "WMI Filtering" stating the explicit exclusions.
--
Kamlesh
On 9/16/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP).Darren
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek Harris
Sent: Friday, September 15, 2006 3:14 PMSubject: RE: [ActiveDir] Block Inheritance on DC OU
It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs.
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Friday, September 15, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Block Inheritance on DC OU
So they didn't wanted many of those GPOs to be applied to domain controllers.
Above that, they have "block inheritance" enabled at various sub-OU levels.
So only thing we could come up with to achieve what we wanted was to.
1) Block policy at DC OU
2) Create Password Policy at Domain level and enforce it.
This helped for keeping a consistent password policy across all OUs and Domain.
And also "saving" DCs from domain level general purpose GPOs.
Long term, soln is to rethink the OU structure.
Kamlesh
On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED] > wrote:Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful.Darren
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of WATSON, BEN
Sent: Wednesday, September 13, 2006 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Block Inheritance on DC OU
The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this).
Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation.
Thanks as always for your input,
~Ben
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Short-term actions X time = long-term accomplishments.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
