Discussion on:
View:
Show:
I'd like to know the threshold for too much filtering. Also, I know you get a performance hit if too many GPO's are enforced. Is there a quantifiable number for what is too much?
I am not sure you will see a huge performance hit for enforcing GPOs. I imagine if you enforced thousands of them you might, but spread across domain controllers, even that shouldnt be an issue.
Since Windows and AD do not limit groups (as far as I know) there shouldnt be any limitation as far as filtering. I guess the only thing to watch for would be cases when you have more filters than are useful, best fix for that is extremely good documentation of your GPOs and their usage.
Since Windows and AD do not limit groups (as far as I know) there shouldnt be any limitation as far as filtering. I guess the only thing to watch for would be cases when you have more filters than are useful, best fix for that is extremely good documentation of your GPOs and their usage.
There are too many factors:
-Bandwidth
-Number of domain controllers
-Number of computer accounts
-Complexity of configuration
As a general rule, things get hairy ONLY when you use Active Directory to push some major bits - Such as a software installation package.
Then enterprise system management is the way to go.
-Bandwidth
-Number of domain controllers
-Number of computer accounts
-Complexity of configuration
As a general rule, things get hairy ONLY when you use Active Directory to push some major bits - Such as a software installation package.
Then enterprise system management is the way to go.
This is a great method and thank you for going over it simply with good pictures. This method is taught in Microsoft's own Windows 2008 classes and is an important concept since you can't have an OU for everything and OU's should be ordered by delegation. Sometimes, it makes sense for a GPO to apply to a security group.
We do this for our "test computers" as their security group is allowed by a GPO. This "Test Group" GPO only depends on member workstations in the group, not entirely based on OU inhertiance.
We do this for our "test computers" as their security group is allowed by a GPO. This "Test Group" GPO only depends on member workstations in the group, not entirely based on OU inhertiance.
Hey there,
thank you for your article. I used the same procedure to apply a Gp using security filtering with a Security Group. I have made myself a member of the security group, I have added the Security Group and given it read, and apply gp permissions to the gp scope. I have removed the apply permissions for the Authenticated Users group. After i do my gp update etc and gpresult, i see that there is an access denied issue.
However if i explicitly add my user account and give it read and apply permissions to the GP scope it works fine.
Can you help me troubleshoot why i am getting access denied when applying it to the group that i am a member of?
thank you for your article. I used the same procedure to apply a Gp using security filtering with a Security Group. I have made myself a member of the security group, I have added the Security Group and given it read, and apply gp permissions to the gp scope. I have removed the apply permissions for the Authenticated Users group. After i do my gp update etc and gpresult, i see that there is an access denied issue.
However if i explicitly add my user account and give it read and apply permissions to the GP scope it works fine.
Can you help me troubleshoot why i am getting access denied when applying it to the group that i am a member of?
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
