How does this one relate specifically to restricted groups? This applies to a whole slew of items.. the worst offender IMO being a hub and spoke topo with file system permissions being pushed down to sysvol or dfs link\root which is replicated.
-steve ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 21, 2004 2:55 PM Subject: RE: [ActiveDir] Security > Guido's #1 can be a nightmare. Say you have a single DC that isn't playing > well with the FRS replication topology and you go to change the restricted > group you will get this great battle going on in AD as the change is made by > GPO on one machine, it will replicate through the environment, the GPO on > another machine won't agree and will change it to something else and that > will replicate through the environment. > > Actually I think MS is rather kooky for setting anything in GPO that changes > something that replicates in normal AD replication. Do it so that it is > replicated one way or the other. This goes for restricted AD groups as well > as lockout policies and things like that. > > Can't say I see how #2 could impact and don't see how restricted groups > could impact #3. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido > Sent: Friday, June 11, 2004 5:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > sure: > 1. replication of changes and applying the GPO will cause undesireable > results at times. > 2. the AdminSDholder process of the domain controlls the sensitive groups > in AD (e.g. Domain & Enterprise & Schema Admin, Account Operators, Server > Operators etc.) and periodically checks permissions on these groups and for > those accounts that need to be in this group have not been removed etc. > (could also be impacted negatively by the GPO) 3. there are a couple of > hidden group memberships in AD that you don't know about and thus not adding > them via restricted groups could cause replication problems: e.g. each DC is > a member of the local domain administrators group using the NT > Authority\Enterprise Domain Controllers group - but you don't see this group > as a member in the group. If this member is missing, DCs can't replicate > successfully. I don't have a complete list of hidden memberships (this one > could or could not be all), so that I wouldn't risk breaking things in AD > using this GPO on domain groups (mainly the administrative groups). > > \Guido > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry > Sent: Freitag, 11. Juni 2004 05:37 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > I'm curious, do you have any more details? > > -----Original Message----- > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 2:47 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > > don't use the Restricted Groups feature on domain groups, especially domain > admins. This has caused various issues for companies and thus they've backed > away from this approach. However, using restricted groups on member servers > and clients works well. > > \Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry > Sent: Donnerstag, 10. Juni 2004 19:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > If you want to make sure that no one is added to the group you could make > the group a Restricted Group via a GPO. > > If you want to know when a user is added to the group, you could use a GPO > to turn on auditing of "Account Management" but then you would have to > search the audit logs of all of the DCs in the domain to find the activity . > > Or you could write a script that looked at the group membership and compared > it with a pre-determined list. Then execute the script on a schedule of your > choice. > > -----Original Message----- > From: Aaron Visser [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 9:51 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Security > > I need to know when the Domain Admin Group has a user added to it or at > least have that operation audited, is there anyway to perform this with GPO > or something built into win2k server. > > Thanks, > Aaron Visser > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
