Thanks... -g
-----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and GPO Design Comments The short answer: Because BJ Whalen (Group Policy Program Manager) told me not to at TechEd last week. :-) The longer answer: I think it has to do with the fact that Deny permissions always beat Allow in the ACE. So for someone who is a member of two groups, one allowing the policy to be applied and the other denying the latter will win. This makes problems harder to troubleshoot. I vaguely recall someone telling me that Deny permissions require significantly more processing than Allow. If this is true then overuse of Deny could degrade performance. Tony ---------- Original Message ---------------------------------- Wrom: TQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMK Reply-To: [EMAIL PROTECTED] Date: Tue, 10 Jun 2003 07:28:22 -0700 Hey Tony, What's the thinking behind the recommendation "not to use Deny" for group filtering? -gil -----Original Message----- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAA Sent: Tuesday, June 10, 2003 12:17 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and GPO Design Comments If you use group filtering in this way, it is recommended not to use Deny. Instead use positive filtering. To do this, remove the Authenticated Users group from the ACL and then add the groups you want it to apply to using Apply Group Policy. Another approach would be to create an OU layer for delegation of administration, e.g. User, Computer, etc. and then have OUs at a level below these for the application of group policy. For example, under the Branch->Users OU you could have OUs called General, Lab, VIP, etc. Someone else made a point about separate OUs for workstations and laptops. This is certainly an option, but there may be a way to avoid this by using WMI filtering in the GPO. For example, WMI can identify the chassis type of the machine. Based on this information you could filter the GPO based on whether the chassis corresponds to a laptop or workstation. Tony ---------- Original Message ---------------------------------- Wrom: TZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSC Reply-To: [EMAIL PROTECTED] Date: Tue, 10 Jun 2003 00:04:25 -0400 I'm interested in feedback on the following OU and GPO design. Simple OU structure, something like: |--Branches |--Users |--Computers The "Users" OU would hold around 5000 users and the "Computers" OU an equal amount of workstations and servers. GPO's would be created for the users and linked to the OU, but only applied to certain global groups that the users would be members of. Similar for the computers. There would be an "All Users" and "All Computers" GPO with global settings, then more granular GPO's for departmental specific settings. Almost all administration would be done centrally, so there should be little need for delegation. This seems like it should be simple and effective, but we haven't tried it real-world, so I'm curious if people have any thoughts on possible gotcha's, issues, etc. -- David List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
