Hi Joe,
Yep, I realize it is a strange request but we needed to test some issues with the
W2K3 setting "Microsoft Network Server - Digitally sign communications always" and a
consultant doing some work with outside-application AD authentication using LDAP. He
is able to bind to a particular DC where we were toggling the setting. We were
looking for that "fine control" and wanted to restrict our changes to a particular DC.
Mike Thommes
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Sat 3/27/2004 8:46 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Hey Michael, looks like you got an answer from Darren (though I dislike
processing GPOs based on group memberships). However, would it be ok to ask
WHY you would want to do this? Setting up DCs as one offs is usually a great
way to court a troubleshooting problem that is a pain in the butt to resolve
later.
joe
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, March 24, 2004 2:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Related question:
Because of some testing we are doing in a production environment (yes, I
know - ahem, ah try a test environment; can't in this situation), we would
like to override the policy "Microsoft Network Server - digitally sign
communications (always)" that is set in the Default Domain Controllers
policy by using the local Domain Controller policy on a particular DC. But
it appears not to be "overrideable". Is this the expected behavior? If so,
how could we accomplish this? TIA!
Mike Thommes
-----Original Message-----
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
Agreed. Not much downside to this as long as you're not putting policies on
these other GPOs that conflict with any set in the DDC policy. Even in that
case, you just have to manage the conflicts.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Wednesday, March 24, 2004 9:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Linking other GPO objects to Domain Controllers
It's common practice to add other GPO links to the DC OU.
-----Original Message-----
From: Devan Pala [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 15:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Linking other GPO objects to Domain Controllers
Hi all,
Question:
Has anyone experienced issues or know of any 'gotchas' with linking other
GPO objects to the Domain Controllers OU in addition to the Default Domain
Controllers Policy.
Rationale:
I would like to have a GPO ready that essentially has Windows Update enabled
for deploying approved updates from a central SUS server. When an update is
available, tested and if required, the GPO is linked to the Domain
Controllers OU and available for install depending on each DC's detection
cycle and configured parameters.
Why not modify the Default Domain Controllers Policy?
At least this way, I will have complete control of when updates are pushed
and importantly, if I would like to retract the updates unlinking this
'other' GPO is easier and I believe safer than changing configuration
settings on the Default Domain Controllers Policy.
Another nice feature would be that the by unlinking this policy the update
would also be removed from the Windows Update folder on each client (the
DC).
Your thoughts, suggestions and comments are as always, appreciated.
Thanks,
Devan.
_________________________________________________________________
Find a broadband plan that fits. Great local deals on high-speed Internet
access.
https://broadband.msn.com/?pgmarket=en-us/go/onm00200360ave/direct/01/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any use (including retransmission or copying) of this information
by persons or entities other than the intended recipient is prohibited. If
you are not the intended recipient of this transmission, please contact the
sender and delete the material from any computer. The sender is not
responsible for the completeness or accuracy of this communication as it has
been transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other purposes.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
