[ActiveDir] Block Inheritance on DC OU
The company I am currently working for has “block inheritance” enabled for the Domain Controller’s OU and apparently whoever enabled this setting is no longer with the company (or they won’t fess up to why they did this). Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose? And what reason would you have to enable this setting on the Domain Controller’s OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben
RE: [ActiveDir] Block Inheritance on DC OU
It prevents you locking yourself out of DC's due to policy being applied at the domain level. I think its a "good thing". Only trouble is I am not sure it protects against site policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: 13 September 2006 17:37To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has “block inheritance” enabled for the Domain Controller’s OU and apparently whoever enabled this setting is no longer with the company (or they won’t fess up to why they did this). Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose? And what reason would you have to enable this setting on the Domain Controller’s OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] Block Inheritance on DC OU
Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has “block inheritance” enabled for the Domain Controller’s OU and apparently whoever enabled this setting is no longer with the company (or they won’t fess up to why they did this). Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose? And what reason would you have to enable this setting on the Domain Controller’s OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben
RE: [ActiveDir] Block Inheritance on DC OU
Are we actually talking blocking GPO inheritance, or ACL inheritance? If GPO I tend to agree with Darren (as with anything on GPO J), as I don’t think that any change in either the Default Domain or the Default Domain Controller policy should be implemented without testing (so if blocking the GPO’s was setup to “protect the DCs” it should give you more headaches than benefits as you’d need to apply all policy settings from the domain policy separately to the default DC policy). If ACLs on the OU, I wouldn’t say it’s a big deal. All the ACLs required for the DCs to do their work are set explicitly at the DC OU level. The inheritance really only matters for the “pre-win2k compatible group” ACE, which is not required on the DC OU (just happens to be set for inheritance from the root of the domain). Not saying it’s a good idea to block ACL inheritance on this OU, but it doesn’t hurt you. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has “block inheritance” enabled for the Domain Controller’s OU and apparently whoever enabled this setting is no longer with the company (or they won’t fess up to why they did this). Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose? And what reason would you have to enable this setting on the Domain Controller’s OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben
RE: [ActiveDir] Block Inheritance on DC OU
You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has “block inheritance” enabled for the Domain Controller’s OU and apparently whoever enabled this setting is no longer with the company (or they won’t fess up to why they did this). Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose? And what reason would you have to enable this setting on the Domain Controller’s OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
RE: [ActiveDir] Block Inheritance on DC OU
I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Thursday, September 14, 2006 3:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, September 13, 2006 6:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has “block inheritance” enabled for the Domain Controller’s OU and apparently whoever enabled this setting is no longer with the company (or they won’t fess up to why they did this). Although I am curious, what sort of ramifications does enabling “block inheritance” on the Domain Controller’s OU pose? And what reason would you have to enable this setting on the Domain Controller’s OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben**This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] Block Inheritance on DC OU
To me it seems intuitive that GP processing would behave the same way for DCs as it would for other computers. And to answer the question, yes I have confirmed this in testing numerous times over the years-most recently the day Ben asked the question. Darren -Original Message- From: "Derek Harris" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 9/14/2006 4:11 PM Subject: RE: [ActiveDir] Block Inheritance on DC OU I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, September 14, 2006 3:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Block Inheritance on DC OU
Darren, Can you please confirm your testing. As I understand it, account policy is processed very differently -the PDCe applies it to the domain NC head via a process called SCE (can't remember what that stands for). I also tried to confirm this, and am getting slightly different results to what you say. Basically, I just blocked inheritance on OU=Domain Controllers... and forced policy application (gpupdate /force) on the PDCe and another DC in the same site. I then run RSoP and no password policy is defined on the DCs. However, the password policy is still in effect (because it hasn't been removed from the domainDNS object). I also have a GPO linked to the DCs OU which defines a pwd length of 6. That doesn't show up in RSoP data nor is it applied - I have to create an 8 character length password. This is very limited, and I obviously haven't exhausted the testing, but this is what I expected based on my understanding of the PDCe writing those values on the NC head after reading them, out of band if you like, from domain-linked GPOs. Note. I've no idea if this SCE thread on the PDCe runs independently of normal policy application or not. I was hoping you would know. But based on your response, I'm starting to question my understanding...as you are GPO ;-) --Paul - Original Message - From: "Darren Mar-Elia" <[EMAIL PROTECTED]> To: Sent: Friday, September 15, 2006 12:43 AM Subject: RE: [ActiveDir] Block Inheritance on DC OU To me it seems intuitive that GP processing would behave the same way for DCs as it would for other computers. And to answer the question, yes I have confirmed this in testing numerous times over the years-most recently the day Ben asked the question. Darren -Original Message- From: "Derek Harris" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 9/14/2006 4:11 PM Subject: RE: [ActiveDir] Block Inheritance on DC OU I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, September 14, 2006 3:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Block Inheritance on DC OU
Darren, While that also seems intuitive to me, patently something odd happens. It is clearly documented, (well I hope it is, its certainly my understanding) that you can only set password policy on the Domain in a top level GPO not one applied directly to the "domain controllers" OU. Therefore something odd must happen. Dave. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 September 2006 00:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU To me it seems intuitive that GP processing would behave the same way for DCs as it would for other computers. And to answer the question, yes I have confirmed this in testing numerous times over the years-most recently the day Ben asked the question. Darren -Original Message- From: "Derek Harris" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 9/14/2006 4:11 PM Subject: RE: [ActiveDir] Block Inheritance on DC OU I did it a couple years ago, and found out that it does block the password policy. It seems intuitive that it shouldn't, but it does. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, September 14, 2006 3:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU You say "Obvious" but is this obvious? What happens in the case of password policy. This can only be set at the top level of the domain. Does this block actually prevent it being applied? I would guess that is does, but I wonder if any one has tested it or has any docs on what actually happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, September 13, 2006 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, September 13, 2006 9:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Block Inheritance on DC OU
Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure. KamleshOn 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Block Inheritance on DC OU
I just prefer using sec. Group filtering over block and enforced flags. In your scenario I would have added explicit denies for the DC group to those GPOs that should not have applied rather than block inheritance. -Original Message- From: "Kamlesh Parmar" <[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: 9/15/2006 1:38 PM Subject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings. So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels. So only thing we could come up with to achieve what we wanted was to. 1) Block policy at DC OU 2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain. And also "saving" DCs from domain level general purpose GPOs. Long term, soln is to rethink the OU structure. Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: > > Well, the obvious effect is that it prevents domain-linked policies from > being delivered correctly, including password policy. This is probably not > desirable. I can't think of a good scenario where this would be useful. > > Darren > > -- > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *WATSON, BEN > *Sent:* Wednesday, September 13, 2006 9:37 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Block Inheritance on DC OU > > The company I am currently working for has "block inheritance" enabled > for the Domain Controller's OU and apparently whoever enabled this setting > is no longer with the company (or they won't fess up to why they did this). > > > > Although I am curious, what sort of ramifications does enabling "block > inheritance" on the Domain Controller's OU pose? And what reason would you > have to enable this setting on the Domain Controller's OU? With any other > OU, it would be fairly obvious, but being that these are the Domain > Controllers it would seem to be a unique situation. > > > > Thanks as always for your input, > > ~Ben > -- ~ Short-term actions X time = long-term accomplishments. ~ [truncated by sender] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Block Inheritance on DC OU
It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Block Inheritance on DC OU
Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Block Inheritance on DC OU
For a point / counter point kind of discussion. I am against, generally speaking[1], group filtering on GPOs as I have seen it go horribly wrong[2] and would rather look at putting the links on the OUs. I don't find that to be a particularly painful task, especially considering that I usually push for a very fixed OU structure such that when a new site or what not is spun up, there is a script that sets the entire OU structure up including needed admin groups, any delegation, and any gPLinks. joe [1] Meaning I am not absolutely against it but it needs to be a great reason. Say something for auto deploying certs and you have no matching OU structure for the deployment you want to implement. [2] Once saw an ACL reset on GPOs when a script that worked perfectly in the lab blew up in production and the resultant set of policies was a completely locked down kiosk that was applied to hundreds of thousands of users and machines (both workstations and servers) across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the fallout was not 100% but mostly only on the west coast of the US and Australia/New Zealand. Nope, I didn't write the script. ;o) I have seen lesser issues and heard of some other folks who have run into some fun with them. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~
RE: [ActiveDir] Block Inheritance on DC OU
I hear you joe. I think it depends upon the environment and its goals. I'm generally against implicit stuff like blocking flags because its hard for people to troubleshoot. I'm also not terribly thrilled with the notion, in large environments, of having to manage 10s or 100s of gplinks and their attendant flags (enabled, disabled, enforced) separately when the target is the entire domain anyway, esp. if you have lots of nested OUs because then you have to expect people to make consistent decisions about where in the hierarchy they need to link, and over time, it just gets messy. But frankly security group filtering can suffer the same complexity problems and groups are probably less well maintained than OU structure in most orgs. I think security group filtering is best used as an exception mechanism rather than a normal course of things. As an exception mechanism, I tend to prefer it over blocking or enforcing. d. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, September 15, 2006 6:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU For a point / counter point kind of discussion. I am against, generally speaking[1], group filtering on GPOs as I have seen it go horribly wrong[2] and would rather look at putting the links on the OUs. I don't find that to be a particularly painful task, especially considering that I usually push for a very fixed OU structure such that when a new site or what not is spun up, there is a script that sets the entire OU structure up including needed admin groups, any delegation, and any gPLinks. joe [1] Meaning I am not absolutely against it but it needs to be a great reason. Say something for auto deploying certs and you have no matching OU structure for the deployment you want to implement. [2] Once saw an ACL reset on GPOs when a script that worked perfectly in the lab blew up in production and the resultant set of policies was a completely locked down kiosk that was applied to hundreds of thousands of users and machines (both workstations and servers) across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the fallout was not 100% but mostly only on the west coast of the US and Australia/New Zealand. Nope, I didn't write the script. ;o) I have seen lesser issues and heard of some other folks who have run into some fun with them. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritanc
RE: [ActiveDir] Block Inheritance on DC OU
Yep yep. Good arguments for standardization of OU hierarchy and overall automated management of the OU's. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 10:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU I hear you joe. I think it depends upon the environment and its goals. I'm generally against implicit stuff like blocking flags because its hard for people to troubleshoot. I'm also not terribly thrilled with the notion, in large environments, of having to manage 10s or 100s of gplinks and their attendant flags (enabled, disabled, enforced) separately when the target is the entire domain anyway, esp. if you have lots of nested OUs because then you have to expect people to make consistent decisions about where in the hierarchy they need to link, and over time, it just gets messy. But frankly security group filtering can suffer the same complexity problems and groups are probably less well maintained than OU structure in most orgs. I think security group filtering is best used as an exception mechanism rather than a normal course of things. As an exception mechanism, I tend to prefer it over blocking or enforcing. d. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, September 15, 2006 6:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU For a point / counter point kind of discussion. I am against, generally speaking[1], group filtering on GPOs as I have seen it go horribly wrong[2] and would rather look at putting the links on the OUs. I don't find that to be a particularly painful task, especially considering that I usually push for a very fixed OU structure such that when a new site or what not is spun up, there is a script that sets the entire OU structure up including needed admin groups, any delegation, and any gPLinks. joe [1] Meaning I am not absolutely against it but it needs to be a great reason. Say something for auto deploying certs and you have no matching OU structure for the deployment you want to implement. [2] Once saw an ACL reset on GPOs when a script that worked perfectly in the lab blew up in production and the resultant set of policies was a completely locked down kiosk that was applied to hundreds of thousands of users and machines (both workstations and servers) across the world. Thankfully it occurred on a Wednesday evening 6PM EST so the fallout was not 100% but mostly only on the west coast of the US and Australia/New Zealand. Nope, I didn't write the script. ;o) I have seen lesser issues and heard of some other folks who have run into some fun with them. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, September 15, 2006 6:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure.Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Well, the obvious effect
Re: [ActiveDir] Block Inheritance on DC OU
Agreed, And I don't believe somehow policies become easier to troubleshoot with exclusions, specially in a very large environment with high level of delegation coupled with varying level of skill sets. In fact the way "Enforced" or "Block Policy" are visually marked in GPMC console, I wish there was something to visually point at particular policy with explicit exclusions. or it would have been easier if they had given another Area on Scope tab between "security filtering" and "WMI Filtering" stating the explicit exclusions. -- Kamlesh On 9/16/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Yes, but there are times when you want to affect all machines or users in a domain and its a pain to have to link those policies to every OU. Domain-linked GPOs are useful but you do have to be explicitly aware of what you're targeting. That's why I like using explicit security group filtering rather than implicit blocking or enforcing. Its easier to troubleshoot (esp. on Win2K without RSOP). Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Friday, September 15, 2006 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Block Inheritance on DC OU It seems to me that a better solution is to only put the password policy into the default domain GPO, and create a separate GPO for any other settings to apply to the OUs. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Block Inheritance on DC OU Well at one of the customers, they have around 10 to 15 GPOs applied at domain level, for various purposes ranging from software deployment to other settings.So they didn't wanted many of those GPOs to be applied to domain controllers. Above that, they have "block inheritance" enabled at various sub-OU levels.So only thing we could come up with to achieve what we wanted was to.1) Block policy at DC OU2) Create Password Policy at Domain level and enforce it. This helped for keeping a consistent password policy across all OUs and Domain.And also "saving" DCs from domain level general purpose GPOs.Long term, soln is to rethink the OU structure. Kamlesh On 9/13/06, Darren Mar-Elia <[EMAIL PROTECTED] > wrote: Well, the obvious effect is that it prevents domain-linked policies from being delivered correctly, including password policy. This is probably not desirable. I can't think of a good scenario where this would be useful. Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, September 13, 2006 9:37 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Block Inheritance on DC OU The company I am currently working for has "block inheritance" enabled for the Domain Controller's OU and apparently whoever enabled this setting is no longer with the company (or they won't fess up to why they did this). Although I am curious, what sort of ramifications does enabling "block inheritance" on the Domain Controller's OU pose? And what reason would you have to enable this setting on the Domain Controller's OU? With any other OU, it would be fairly obvious, but being that these are the Domain Controllers it would seem to be a unique situation. Thanks as always for your input, ~Ben -- ~Short-term actions X time = long-term accomplishments.~ -- ~Short-term actions X time = long-term accomplishments.~
