Permissions

If you are following along with a lab of your own, you are currently having no trouble or limitations because you are probably logging in to your servers or management workstations from an account that is part of the domain administrators group. In fact, you may even be logging in as the domain administrator account.

Sidenote: Do not use the domain administrator account to log in to servers! In a test lab, that's fine. But in a production network, you should absolutely be getting away from ever touching that account. It should be locked down and locked out, and your IT staff should not know what the password is so they can't use it even if they forget that they shouldn't use it. Using the domain administrator account can turn into a major security hole so fast it'll make your head spin. I see far too many server admins using it for everyday tasks that could easily be done with their own accounts.

Now, moving off my soapbox, domain administrators and enterprise administrators have access to do whatever they want inside Group Policy. Anybody else, however, is limited. This is important to understand as you move into Group Policy administration. In the wild, by far the most common way to grant an admin access to manipulate Group Policy is to add their domain user account to the Domain Admins group, which is fine but not ideal. There are more fine-grained ways of giving permissions inside GPMC that don't require quite this level of access.

Later in the book, we will explore delegation of privileges within Group Policy, essentially showing you an alternative way to give a user the rights they need in order to administer only parts and pieces of Group Policy, but for now we just need to understand that you won't get very far in GPMC without being a member of either Domain Admins or Enterprise Admins.

A quick aside regarding sites. Even though we will be able to delegate some permissions later to non-admin type users, this is not the case with site administration. To be honest, flagging GPOs to be applied at the site level is not a common practice. It's very rare that I find people doing that, because it's a rare use case that would deem it practical. However, should you discover the need to modify Active Directory sites or link GPOs at the site level, you will need to use an account that is a Domain or Enterprise Admin. Again, since most server administrators are already either Domain Admins (though this is becoming less common as security levels increase), or have access to a Domain Admin account on an as-needed basis, that is most often the level of permissions you will have when working within Group Policy, which will allow you to do whatever you need.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.14.50