The perils of drag-and-drop in AD
One of the interesting things about Group Policy in Active Directory is that the more Group Policy settings you employ in your organization, the greater the potential impact of moving a user or computer from one Organizational Unit (OU) to another. For example, you could have Group Policy settings that define what applications a user sees; what programs are forbidden from running, via Software Restriction Policies; what control panels the user can access; what devices may be installed and/or used; etc. ad infinitum. It takes about two seconds to drag-and-drop a user or computer account from one OU to another in the ADUC console (Active Directory Users and Computers), but the effects of doing that can be huge! As a result, I find that as organizations mature and take greater advantage of Group Policy, they should simultaneously refine their procedures in terms of moving accounts between OU’s, to ensure that a two-second act by a domain admin doesn’t create a two-day headache for a user whose world has just been rocked by the change. A checklist for domain admins would not be a half-bad idea.




