| Author | Messages | |
Brad_Smith
Posts:17
 | | 04/21/2008 11:45 AM |
| Hey All,
Has anyone come across issues with using restricted groups within the
Default Domain Controllers GPO to configure membership of EA and DA?
Brad
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at http://www.atkinsglobal.com/terms_and_conditions/index.aspx
Consider the environment. Please don't print this e-mail unless you really need to.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| ZJORZ
Posts:100
| | 04/22/2008 10:51 AM |
| In the end it will work, but won't that cause all DCs to make the change to domain groups targeted at (almost) the same time and therefore causing unneeded repl traffic
Also see:
http://sdmsoftware.com/blog/2007/10/restricted_groups_policy.html
http://blogs.dirteam.com/blogs/gpoguy/archive/2006/08/21/Restricted-Groups-policy-and-AD-groups_2D002D00_not-a-good-idea.aspx
wouldn't it be better to have a GPO to leverage restricted groups for AD groups on the PDC FSMO ONLY for example?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, April 21, 2008 17:43
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Configuring the Enterprise Admins group and Domain Admin group using Restricted Groups
It works if that's what you're asking. 
--brian
On Mon, Apr 21, 2008 at 11:39 AM, Smith, Brad <Brad.Smith@atkinsglobal.com> wrote:
Hey All,
Has anyone come across issues with using restricted groups within the
Default Domain Controllers GPO to configure membership of EA and DA?
Brad
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at http://www.atkinsglobal.com/terms_and_conditions/index.aspx
Consider the environment. Please don't print this e-mail unless you really need to.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| Brad_Smith
Posts:17
| | 04/23/2008 7:53 AM |
| Good point....I wonder if this setting falls into the "Only change if the policy has changed" basket?
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Jorge de Almeida Pinto
Sent: 22 April 2008 15:49
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Configuring the Enterprise Admins group and Domain Admin group using Restricted Groups
In the end it will work, but won't that cause all DCs to make the change to domain groups targeted at (almost) the same time and therefore causing unneeded repl traffic
Also see:
http://sdmsoftware.com/blog/2007/10/restricted_groups_policy.html
http://blogs.dirteam.com/blogs/gpoguy/archive/2006/08/21/Restricted-Groups-policy-and-AD-groups_2D002D00_not-a-good-idea.aspx
wouldn't it be better to have a GPO to leverage restricted groups for AD groups on the PDC FSMO ONLY for example?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Consultant
MVP Identity & Access - Directory Services
Oxford Computer Group Benelux | (: +31 (0)6 26.26.62.80 | (: +31 (0)33 454.69.50 | 7: +31 (0)33 454.66.66 | -: Hardwareweg 4, 3821BM Amersfoort, The Netherlands
www.oxfordcomputergroup.com <blocked::blocked::http://www.oxfordcomputergroup.com/> | Expertise in Identity & Access Management
________________________________________________________________
MVP Profile à https://mvp.support.microsoft.com/profile/jorge1
MVP Home Site à https://mvp.support.microsoft.com/
MVP Overview à https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
________________________________________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, April 21, 2008 17:43
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Configuring the Enterprise Admins group and Domain Admin group using Restricted Groups
It works if that's what you're asking.
--brian
On Mon, Apr 21, 2008 at 11:39 AM, Smith, Brad <Brad.Smith@atkinsglobal.com> wrote:
Hey All,
Has anyone come across issues with using restricted groups within the
Default Domain Controllers GPO to configure membership of EA and DA?
Brad
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
The ultimate parent company of the Atkins Group is WS Atkins plc. Registered in England No. 1885586. Registered Office Woodcote Grove, Ashley Road, Epsom, Surrey KT18 5BW. A list of wholly owned Atkins Group companies registered in the United Kingdom can be found at http://www.atkinsglobal.com/terms_and_conditions/index.aspx
Consider the environment. Please don't print this e-mail unless you really need to.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
This message has been scanned for viruses by MailControl <http://bluepages.wsatkins.co.uk/?6875772>
| | | |
|
|