Guido's #1 can be a nightmare. Say you have a single DC that isn't playing well with the FRS replication topology and you go to change the restricted group you will get this great battle going on in AD as the change is made by GPO on one machine, it will replicate through the environment, the GPO on another machine won't agree and will change it to something else and that will replicate through the environment.
Actually I think MS is rather kooky for setting anything in GPO that changes something that replicates in normal AD replication. Do it so that it is replicated one way or the other. This goes for restricted AD groups as well as lockout policies and things like that. Can't say I see how #2 could impact and don't see how restricted groups could impact #3. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 11, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security sure: 1. replication of changes and applying the GPO will cause undesireable results at times. 2. the AdminSDholder process of the domain controlls the sensitive groups in AD (e.g. Domain & Enterprise & Schema Admin, Account Operators, Server Operators etc.) and periodically checks permissions on these groups and for those accounts that need to be in this group have not been removed etc. (could also be impacted negatively by the GPO) 3. there are a couple of hidden group memberships in AD that you don't know about and thus not adding them via restricted groups could cause replication problems: e.g. each DC is a member of the local domain administrators group using the NT Authority\Enterprise Domain Controllers group - but you don't see this group as a member in the group. If this member is missing, DCs can't replicate successfully. I don't have a complete list of hidden memberships (this one could or could not be all), so that I wouldn't risk breaking things in AD using this GPO on domain groups (mainly the administrative groups). \Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 11. Juni 2004 05:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security I'm curious, do you have any more details? -----Original Message----- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of "Account Management" but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -----Original Message----- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/