Glenn Weadock on Windows Server 2008

by Glenn Weadock

Previous Article Next Article

Group Policy and OU Membership

The perils of drag-and-drop in AD

By Glenn Weadock on Tue, 07/21/09 - 5:25pm.

Share
Tweet This
Email this page
Comment (1)
Print

One of the interesting things about Group Policy in Active Directory is that the more Group Policy settings you employ in your organization, the greater the potential impact of moving a user or computer from one Organizational Unit (OU) to another.

For example, you could have Group Policy settings that define what applications a user sees; what programs are forbidden from running, via Software Restriction Policies; what control panels the user can access; what devices may be installed and/or used; etc. ad infinitum. It takes about two seconds to drag-and-drop a user or computer account from one OU to another in the ADUC console (Active Directory Users and Computers), but the effects of doing that can be huge!

As a result, I find that as organizations mature and take greater advantage of Group Policy, they should simultaneously refine their procedures in terms of moving accounts between OU’s, to ensure that a two-second act by a domain admin doesn’t create a two-day headache for a user whose world has just been rocked by the change. A checklist for domain admins would not be a half-bad idea.

Ou's

By Jim (not verified) on Wed, 07/22/2009 - 3:08pm.

Sounds like novell directory services to me.

Post new comment

Welcome, visitor. Register Log in

About Glenn Weadock on Windows Server 2008

Glenn Weadock is a longtime instructor for Global Knowledge and teaches Windows 7, Server 2008, and Active Directory. He has recently co-developed with Mark Wilkins two advanced Server 2008 classes in the Microsoft Official Curriculum. Glenn also consults through his Colorado-based company Independent Software, Inc. and is technical director of MarketCoach Investment Education Software LLC.