sure:
1.  replication of changes and applying the GPO will cause undesireable
results at times.
2.  the AdminSDholder process of the domain controlls the sensitive
groups in AD (e.g. Domain & Enterprise & Schema Admin, Account
Operators, Server Operators etc.) and periodically checks permissions on
these groups and for those accounts that need to be in this group have
not been removed etc. (could also be impacted negatively by the GPO)
3.  there are a couple of hidden group memberships in AD that you don't
know about and thus not adding them via restricted groups could cause
replication problems: e.g. each DC is a member of the local domain
administrators group using the NT Authority\Enterprise Domain
Controllers group - but you don't see this group as a member in the
group. If this member is missing, DCs can't replicate successfully.  I
don't have a complete list of hidden memberships (this one could or
could not be all), so that I wouldn't risk breaking things in AD using
this GPO on domain groups (mainly the administrative groups).

\Guido
 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Freitag, 11. Juni 2004 05:37
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security

I'm curious, do you have any more details?

-----Original Message-----
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 10, 2004 2:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security


don't use the Restricted Groups feature on domain groups, especially
domain admins. This has caused various issues for companies and thus
they've backed away from this approach.  However, using restricted
groups on member servers and clients works well. 

\Guido

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Donnerstag, 10. Juni 2004 19:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Security

If you want to make sure that no one is added to the group you could
make the group a Restricted Group via a GPO.

If you want to know when a user is added to the group, you could use a
GPO to turn on auditing of "Account Management" but then you would have
to search the audit logs of all of the DCs in the domain to find the
activity.

Or you could write a script that looked at the group membership and
compared it with a pre-determined list. Then execute the script on a
schedule of your choice.

-----Original Message-----
From: Aaron Visser [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 10, 2004 9:51 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Security

I need to know when the Domain Admin Group has a user added to it or at
least have that operation audited, is there anyway to perform this with
GPO
or something built into win2k server.

Thanks,
Aaron Visser

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to