| Author |
Subdomains and GPOs
|
|
| Tech Ranger 2003-02-06, 8:36 pm |
| I have posted on this subject before. Everyone here seems to say that subdomains do not inherit any GPOs from their parent domains. Now I am studying a book that implies that there is a connection between parent and subdomains with respect to Group Policy. Does anyone have a definitive answer on this. | |
| Slinky 2003-02-06, 9:17 pm |
| When a GPO is applied to the domain level, it affects all the users and computers belonging to that particular domain. With that said, GPOs don't flow from parent to child domain. | |
| Djalminha 2003-02-07, 8:53 am |
| TechRanger,
Slinky is right, GPO's don't flow from parent to child domains.
Some technical information about :
Deciding When to Create a Domain
To put Windows 2000 into service, your company will require at least one domain. Because Active Directory can handle millions of objects and span multiple sites, one domain might be sufficient for your needs. You might consider creating additional domains in order to accomplish one of the following goals:
Delimit security. A Windows 2000 domain defines a security boundary. Security policies and settings (such as administrative rights and access control lists) do not cross from one domain to another. Active Directory can include one or more domains, each with its own security policies.
Apply Group Policy. A domain defines one possible scope for policy (Group Policy settings can also be applied to OUs or sites). Applying a Group Policy object (GPO) to the domain establishes how domain resources can be configured and used. For example, you can use Group Policy to control desktop settings, such as desktop lockdown and application deployment. These policies are applied only within the domain and not across domains.
For more information:
http://www.microsoft.com/technet/tr...oy/febdesad.asp
P.S. There's a lot of information on Technet about AD.
{}'s | |
| jeff_j_black 2003-02-07, 9:12 am |
| Yes in brief, a domain is a security and administrative boundary.
Each domain has it's own unique 'Default Domain Policy'.
You can of course, apply GPO across domains, but it is not recommended for performance reasons. | |
| Tech Ranger 2003-02-07, 6:52 pm |
| If you modify the default domain policy of the root domain of the forest before creating a subdomain, will the subdomain receive the modified GPO or a fresh default policy? | |
| jeff_j_black 2003-02-07, 10:22 pm |
| Should just be a fresh policy... | |
| Tech Ranger 2003-02-13, 8:04 pm |
| I finally figured out why my book talks about subdomains and inheritance of GPOs: subdomains do inherit GPOs from sites. Of course, the same is true for domains. | |
| Slinky 2003-02-13, 8:15 pm |
| quote:
Originally posted by Tech Ranger
I finally figured out why my book talks about subdomains and inheritance of GPOs: subdomains do inherit GPOs from sites. Of course, the same is true for domains.
True. Also you don't even have to be in the same namespace to inherit GPOs. Remember, a domain can span multiple sites, or multiple domains can be contained in one site. | |
| jeff_j_black 2003-02-14, 7:12 pm |
| That is a very clear outcome from your original query. Great thread. | |
| tegconsult 2003-02-18, 12:58 pm |
| As domains are security bounderies, subdomains don't inherit GPOs from parents |
|
|
|