A warning on cross-domain policy linking

In our test lab, we have no plans to grow into a large enough environment where there would be multiple domains being hosted, but this is certainly a scenario that you could stumble into when doing IT work for a business. When multiple domains exist inside Active Directory, there is the opportunity to link GPOs from one domain to OUs in a different domain.

Don't do it!

This is called cross-domain policy linking and is generally a bad practice. It is very easy to lose track of these links, or for an administrator in one domain to mistakenly interfere with settings that another administrator in another domain put into place. Furthermore, you may have admin access to your own domain but not in other domains, and so your options will be limited at best. Cross-domain links are always at a higher risk of being broken or deleted unknowingly. If you happen to be relying on that policy when it gets deleted or broken, that leaves you in a big bind and catches you completely unaware.

What is the better method for dealing with a multi-domain scenario? Duplicate your GPOs across each domain. It is more work up front to recreate all of your GPOs and settings inside each domain, but will be much better in the long run.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.59.168