Windows Vista

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Okay, consider this... you are a domain admin for XYZ Corp. You have created three OUs, one for each of your remote sites: New York, Tokyo, and London. Each site has an admin to whom you have delegated permission to administer the OU.

Here's the question: do you want those admins to override your GPO settings? ;)

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Understood... the answer would be no.

But if site GPO is a parent of the OU GPO in the hierarchy, if the admins make a change at site level, and set No Override, wouldn't that then stop any GPOs you set at the 'lower' OU or Domain level from negating the changes they had made further up?

Now, if Site was a child of OU or Domain, I could see the logic. If I as a Site Admin set a GPO at site level, but the No Override rule was enforced at OU or Domain level, my GPO setting would not have any effect. I would understand how this would be a useful tool in an Admin's armoury.

With a hierarchy of

Local
Site
Domain
OU

this seems to turn that logic on it's head... for me...

Thanks for your time... and don't worry... it will click in at some point.

 

Yes, it would... but those OU admins won't have the rights to set GPOs at the site level... they'd only be able to set GPOs at the OU level.

No Override at the OU level only works for blocking child OU's from overriding GPOs applied to the parent OU.

Site policies cannot be blocked at the Domain or OU level by No Override... they can be blocked only by Block Inheritance. (That said, a No Override trumps a Block Inheritance.)

 

OK, say we had Nashville.Boson.com

What would be the domain, OU and site in that in AD?

If a site is a physical location, then I presume Nashville is the site, with .com being the domain, and Boson being the OU.

If the Admins with overarching powers sit at the .com or Boson level, what happens if Josh, sitting as the Admin in Nashville modifies or creates a GPO for, say 'No Trousers' with No Override set?

Hopefuly, you will see immediately where I am going wrong...

 

Local > Site > Domain > OU OU OU

any local policies can be overwritten by policies at site or domain level.

any Site policies can be overwitten at the domain level.

A site is defined by a collection of nodes (computers, printers, servers etc) connected by high speed links. This would typically mean they are part of the same LAN.

A domain is a security boundry and it is at the domain level that all account policies are set. ie password complexity etc.

an OU is an Organisational Unit and it's use depends on the AD design, meaning you can taylor them for your specific needs.

 

Thanks Bluerinse.

That is what I assumed; however, it would also follow, would it not, that if I used No Override on a change to a Site GPO, that a subsequent different setting on the same GPO at Domain or OU level could not then modify that setting?

Cheers

John

 

Great... thanks for all the help guys... much appreciated.

 

No. Nashville.Boson.com describes the FQDN, or the Fully Qualified Domain Name. Meaning... in short: the domain.

.com is the TLD, or top-level domain.

Boson is the domain name. To be proper, it's Boson.com.

Nashville is a child domain of Boson.com. Again, to be proper, it's Nashville.Boson.com.

If you had West.Nashville.Boson.com, West would be a child domain of Nashville.Boson.com, and Nashville.Boson.com would be a child domain of Boson.com.

None of these relate to the "site name". Although place names can be used for domain or child domain names, those do NOT necessarily relate to actual Active Directory sites. Don't confuse them. Don't automatically think "location" when you see "site"... just think of "site" as a Windows term.

Don't overthink this stuff... know what level overrides what (L-S-D-OU)... but don't try to combine these things into a neat little package that fit together. Simply know that these are different administrative levels. Certainly nobody thinks that local admins are the "top of the food chain"... nor are OU admins the "bottom of the food chain". That's just how Microsoft decided to create the GPO inheritance rules.

Depends. Is Nashville a child domain or an OU?

If Nashville is a child domain (Nashville.Boson.com), then any GPOs linked to OUs that are configured in AD for the Nashville.Boson.com domain will not be able to override those GPOs linked to the Boson.com domain.

If Nashville is an OU, then any GPOs linked to child OUs of Nashville will not be able to override those GPOs linked to the Nashville OU.

If I, as an Admin with overarching powers at the Boson.com level, didn't want Josh to be able to link GPOs to the child domain or OU level, I shouldn't give Josh admin rights to those containers.

Josh can certainly use Block Inheritance to block my Boson.com GPOs. But if I wanted to set a domain-wide (or site-wide - again, don't think site=location... "site" is just a Windows term). policy that Josh couldn't override, I'd simply specify No Override on the GPO linked to the domain. Even if Josh tries to use the Block Inheritance setting, my No Override setting would trump his Block Inheritance setting.

 

Yessss!!!! Perfect... and understood!

I had been going mad trying to knock the proverbial 'square peg into a round hole', linking FQDN to L-S-D-OU. Sheez!

It depends on how you set it up and configure it...

Thanks Michael. D

 

So I guess now is a good time to tell you that this is likely above-and-beyond the scope of the exam?

As I run away, allow me to praise you regarding how much of a headstart you have on the server exams!!!

Don't be too hard on me, mate... it's difficult to introduce what the heck a GPO is for (which IS important) without explaining how everything fits together in the "grand scheme".

 

Hard on you??? Above and beyond the scope...!?!?

Anyway, you won't be able to run too fast, coz your heavy laptop will be weighing you down...

Seriously though... I thoroughly 'enjoyed' trying to get to grips with it. And I did need to begin to understand it, especially if and when I do the server stuff later on.

I knew I was looking at it the wrong way... logically... when really the answer is that it is whatever you decide to set it up as. To see that in action, I would need to have my own set-up, with AD and WinServer 2k3 or similar, I suppose.

On a side note, I am almost at the end of chapter 10 in the book... the chapter on IE7 was great, and I learnt a few bits I didn't know before. The ability to open two pages when opening IE is cool.

And... I have booked my exam for the week after next. It's in Leceister (nearest I could get).

 

But... I'm a MAN.

Besides, I'm also a distance runner.

dingdingding! You've got it! It really helps to see everything in action.

I'll tell Josh that you appreciated his IE chapter. Chapter 10 was mine.

Good luck! Going to attack the ExSim after you tackle the monstrous Chapter 11?

 

Ahem... suggest you look above...

S'ok... I'll just pay Josh to 'crock' you...

Cheers.

Just done 10. I have seen the Sidebar in action, and it looks like I would give it a fair bit of use. Not sure about Meeting Space, but then I never much used Net Meeting.

CardSpace? Now, what are MS trying to do there? That is one of those things that might take off, but I just don't see the point... at the moment.

Thanks mate! (I'll need it)

Yes, I am definitely getting into the groove... 'in the zone' (and I don't mean DNS!) as my 22 year old would say.

Chapter 11 should take me tonight and tomorrow night, I will run trhough the end of chapter tests again and then 'ace' the ExSim over the weekend.

 

Yeah, yeah... paybacks are hell.

 

If I wasn't so knackered, I'd think of a way of paying you back...

 

Not that there's anything wrong with that...

This reminds me of FlameFestFridays on SecurelySpeaking... back when I worked at Transcender, one of the participants loved to refer to me (TranscenderMichael) and Josh (Jaynonymous) as TransgenderMichael and Gaynonymous. Ouch!!!

 

OMG! That must have really hurt... but let's keep it between the two of us... wouldn't want Mitz, Trip... or anyone else to start name changing...

Started Ch11 by the way... I hate PerfMon!!!! It should have been in Ch2, or certainly earlier in the book. I don't know what it is, but it just isn't sexy...

 

Unfortunately, both of them have likely seen us called those names before.

PerfMon isn't sexy. And you wonder why that chapter is so long!

 

Sheez! I am dying here... that said, the Tools tab in SysConfig is a neat addition. And Event Viewer looks tasty... Oh, and the Reliability Monitor looks quite good too...

Going to call it a night... not sure I can wade through Remote Desktop and Remote Assistance at this time of night...

If I have to remember every which way of accessing certain apps, I am doomed...