Announcement

Collapse
No announcement yet.

GPO per server basis

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO per server basis

    Hi all, I've been working with Active Direcotry for the past 8 years or so and I've never seen this before. Someone in our organization is currently pushing for a GPO per server approach which doesn't feel right in my mind. I've always defined my GPO in the past making sure to "group" common parameters at the top of the OU structures and applying exceptions with smaller GPOs using security filtering. Here, it's the complete opposite. At term, we would have next to 2000 servers in that domain. I'm estimating that we would have at least 3000 GPOs (1/server + any exceptions). Of course we would use new features from 2k8 to reduce the load on replications (dfs-r) and space requirement (central store, removal of .adm) but still... I don't feel like its a good way to go. I wont go into the detail of how they will enforce a RBAC model into this. (imagine one group per permission per server). They are creating at least 25 different groups for each server at the moment, this number will raise as new permissions requirement will come. I've seen GPO per server approach in small business, but for and enterprise wide solution, I believe that the management of this will become a huge mess in the future. I got headache just to think about the management of the GPOs, even if we're planing to use AGPM and/or other tools. I'm I the only one that feel that this is wrong?? Thanks

  • #2
    Re: GPO per server basis

    Yeah, that sounds like a bad idea to me, not to mention the management nightmare and overall overhead of a design like this. What is the thought process behind this idea?

    Comment


    • #3
      Re: GPO per server basis

      Surely the whole point of active directory is that you group objects and manage the groups:
      For permissions you use security groups
      For delegation you use OUs
      for policies you use the LSDOu model, so mainly OUs

      Attempting to manage each server on its own (which is what I read the above) will becomes a nightmare.

      Even in small businesses, you manage OUs (maybe with a single server) so you can expand quickly and easily!
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: GPO per server basis

        So if you wanted to update your server baseline you'd have to update 2000 GPOs instead of one! That would be soooo much fun, it just gives me goose pimples.

        Comment


        • #5
          Re: GPO per server basis

          Mind you, as a consultant on a hourly rate, it has some potential advantages
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X