Key Points
1. Group Policy is a mechanism to manage a wide range of settings from a central point
2. You can create multiple group policies. You can link one group policy to different level
3. You can link a same group policy to different places, you can also link multiple policies to one place
4. Group policy linked to different level has different precedence
5. Group Policy is applied in the order of local, site, domain, and OU, meaning GPO that is linked to OU has highest priority
6. Besides the above precedence, ?no override? and ?block policy inheritance? settings will affect the behavior of group policy application
7. Group policy can be filtered by security group or WMI filters
8. Under some special circumstance, you may want to enable ?loopback process?.
9. IMPORTANT: do NOT unlink/remove ?Default Domain Policy? and ?Default Domain Controller Policy?
For account policy, it can be set either on domain-level (AD environment) or local-level (workgroup). Account policies defined on other level will not take effect against domain user accounts, but it will take effect against local user accounts on the computer that is under the OU.
References
==========
Search This Blog
Dec 16, 2005
Setting Up An Exchange Infrastruture For Small Business Step By Step (Part II)
This post is removed as it's too lengthy. Anyone who is interested can email me for a copy. Thanks.
Nov 25, 2005
About Lingering Object
- What is a lingering object?
Lingering object is object that exists on only readable GC but not on the writable DC in the domain that contains the object. You can produce a lingering object as follows:
1) Suppose you have two domains, root.local and child.root.local
2) Take a GC in root domain offline, let's say it is called gc.root.local
3) Remove a user account from child.root.local, let's say it's called poorGuy
4) Wait for more than tombstone time (60 days in Windows 2000, 180 days in Windows 2003)
5) Put the GC in root domain back to network
At this point, we still have the poorGuy on gc.root.local. Because the deletion has been actually garbage collected and replicated to all other DCs, gc.root.local is not going to delete poorGuy on itself through replication. And because child.root.local is a read only partition to gc.root.local, you can't delete poorGuy using normal UI. poorGuy is a lingering object now on gc.root.local. - How to remove lingering object?
Lingering object could cause varity of issues, including email non-delivery, duplicates in GAL, blocking the replication of particular partition.
Q314282 has a very detailed steps for removing lingering objects. But very few people can get it right at the first few times. Below are key points:
1) Use the DSA guid that is a DC from writable domain. In above example, select a DC from child.root.local
2) run the procedure on a GC that contains lingering object
3) Make sure you delete leaf object before parent object
TIPS:
- If both source and destination DCs are Windows 2003, you can use "repadmin /removelingeringobjects" option
- For environment that has a lot GC, it's strongly recommended to use script. Otherwise, before you finish removal on the last GC, lingering object may be replicated back to first GC already.
- If you really want to use manual procedure, you can disable inbound replication on the GC that you just finish removal. Once you finish removal on all GCs, you can then enable inbound replication again. "repadmin /options +diable_inbound_repl"
Subscribe to:
Posts (Atom)