官术网_书友最值得收藏!

Permissions

If you are following along with a lab of your own, you are currently having no trouble or limitations because you are probably logging in to your servers or management workstations from an account that is part of the domain administrators group. In fact, you may even be logging in as the domain administrator account.

Sidenote: Do not use the domain administrator account to log in to servers! In a test lab, that's fine. But in a production network, you should absolutely be getting away from ever touching that account. It should be locked down and locked out, and your IT staff should not know what the password is so they can't use it even if they forget that they shouldn't use it. Using the domain administrator account can turn into a major security hole so fast it'll make your head spin. I see far too many server admins using it for everyday tasks that could easily be done with their own accounts.

Now, moving off my soapbox, domain administrators and enterprise administrators have access to do whatever they want inside Group Policy. Anybody else, however, is limited. This is important to understand as you move into Group Policy administration. In the wild, by far the most common way to grant an admin access to manipulate Group Policy is to add their domain user account to the Domain Admins group, which is fine but not ideal. There are more fine-grained ways of giving permissions inside GPMC that don't require quite this level of access.

Later in the book, we will explore delegation of privileges within Group Policy, essentially showing you an alternative way to give a user the rights they need in order to administer only parts and pieces of Group Policy, but for now we just need to understand that you won't get very far in GPMC without being a member of either Domain Admins or Enterprise Admins.

A quick aside regarding sites. Even though we will be able to delegate some permissions later to non-admin type users, this is not the case with site administration. To be honest, flagging GPOs to be applied at the site level is not a common practice. It's very rare that I find people doing that, because it's a rare use case that would deem it practical. However, should you discover the need to modify Active Directory sites or link GPOs at the site level, you will need to use an account that is a Domain or Enterprise Admin. Again, since most server administrators are already either Domain Admins (though this is becoming less common as security levels increase), or have access to a Domain Admin account on an as-needed basis, that is most often the level of permissions you will have when working within Group Policy, which will allow you to do whatever you need.

主站蜘蛛池模板: 蛟河市| 建始县| 贺兰县| 无棣县| 青浦区| 白河县| 长海县| 缙云县| 山西省| 卫辉市| 宁晋县| 会泽县| 来宾市| 衡山县| 明溪县| 呼和浩特市| 东光县| 开鲁县| 永靖县| 长葛市| 文山县| 锡林郭勒盟| 丰县| 集安市| 瑞安市| 庄河市| 台南县| 花莲县| 巴塘县| 会同县| 溧水县| 新营市| 兴国县| 四平市| 重庆市| 新沂市| 丽水市| 普安县| 泸州市| 义乌市| 牙克石市|