Use of Restricted Groups

Ryan Sanders · Dec 6, 2006

I am looking to use Restricted Groups on several domain security groups.
I would like to create a domain level GPO that contains explicit
membership to several highly sensitive security groups. I have read in
the documentation on this and it says it is not advise on Domain
Controllers.

What I can not find is why not. This works great in my lab.

Other considerations?

Thanks!

Jorge de Almeida Pinto [MVP - DS] · Dec 6, 2006

because ALL DCs will try to do the same as soon as they know about it...

read more here:
http://blogs.dirteam.com/blogs/gpog...y-and-AD-groups_2D002D00_not-a-good-idea.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

Ryan Sanders · Dec 6, 2006

Jorge said:
because ALL DCs will try to do the same as soon as they know about it...

read more here:
http://blogs.dirteam.com/blogs/gpog...y-and-AD-groups_2D002D00_not-a-good-idea.aspx

Great reading. Thanks for the input.

Based off that reading I am lead to believe that if I have a single DC
then I should not have problems using restricted groups to control
domain group membership?

Jorge de Almeida Pinto [MVP - DS] · Dec 6, 2006

true...
but what would happen if you suddendly install another DC and forget about
that configuration?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

Ryan Sanders · Dec 6, 2006

Jorge said:
true...
but what would happen if you suddendly install another DC and forget about
that configuration?

Understood.

Thanks,
Ryan

Joe Richards [MVP] · Dec 8, 2006

And of course a single DC is a bad thing. It means on any kind of
failure you are doing a full domain restore. This isn't something you
generally want to have to do. Even if the second DC is a very small
underpowered machine it is better than nothing because it can reduce
your complete and utter downtime from hours/days to nothing and just
running in a reduced capacity. Plus you don't have to restore, you can
just rebuild and repromote your main DC which is much preferred to a
recovery.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Remove Domain Admins ability from "Delegation Of Control"	5	Dec 21, 2005
Can AD groups be restricted using Restrictive Groups?	1	Oct 4, 2005
Restricted Groups	3	Oct 16, 2003
Restricted Groups problem !!!	6	Apr 28, 2004
Restricted Groups > Local Administrators	3	Dec 3, 2004
Removing domain local groups from Wind XP local administrators gro	3	Oct 18, 2005
Restricted Groups Problem	3	Apr 2, 2005
Restricted groups strange ......	1	Nov 17, 2005

Use of Restricted Groups

Ryan Sanders

Jorge de Almeida Pinto [MVP - DS]

Ryan Sanders

Jorge de Almeida Pinto [MVP - DS]

Ryan Sanders

Joe Richards [MVP]

Ask a Question

Similar Threads