Group Policy and OU Membership
The perils of drag-and-drop in AD
By Glenn Weadock on Tue, 07/21/09 - 5:25pm.One of the interesting things about Group Policy in Active Directory is that the more Group Policy settings you employ in your organization, the greater the potential impact of moving a user or computer from one Organizational Unit (OU) to another.
For example, you could have Group Policy settings that define what applications a user sees; what programs are forbidden from running, via Software Restriction Policies; what control panels the user can access; what devices may be installed and/or used; etc. ad infinitum. It takes about two seconds to drag-and-drop a user or computer account from one OU to another in the ADUC console (Active Directory Users and Computers), but the effects of doing that can be huge!
As a result, I find that as organizations mature and take greater advantage of Group Policy, they should simultaneously refine their procedures in terms of moving accounts between OU’s, to ensure that a two-second act by a domain admin doesn’t create a two-day headache for a user whose world has just been rocked by the change. A checklist for domain admins would not be a half-bad idea.
- About Glenn Weadock on Windows Server 2008
Glenn Weadock is a longtime instructor for Global Knowledge and teaches Windows 7, Server 2008, and Active Directory. He has recently co-developed with Mark Wilkins two advanced Server 2008 classes in the Microsoft Official Curriculum. Glenn also consults through his Colorado-based company Independent Software, Inc. and is technical director of MarketCoach Investment Education Software LLC.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise