官术网_书友最值得收藏!

Permissions

If you are following along with a lab of your own, you are currently having no trouble or limitations because you are probably logging in to your servers or management workstations from an account that is part of the domain administrators group. In fact, you may even be logging in as the domain administrator account.

Sidenote: Do not use the domain administrator account to log in to servers! In a test lab, that's fine. But in a production network, you should absolutely be getting away from ever touching that account. It should be locked down and locked out, and your IT staff should not know what the password is so they can't use it even if they forget that they shouldn't use it. Using the domain administrator account can turn into a major security hole so fast it'll make your head spin. I see far too many server admins using it for everyday tasks that could easily be done with their own accounts.

Now, moving off my soapbox, domain administrators and enterprise administrators have access to do whatever they want inside Group Policy. Anybody else, however, is limited. This is important to understand as you move into Group Policy administration. In the wild, by far the most common way to grant an admin access to manipulate Group Policy is to add their domain user account to the Domain Admins group, which is fine but not ideal. There are more fine-grained ways of giving permissions inside GPMC that don't require quite this level of access.

Later in the book, we will explore delegation of privileges within Group Policy, essentially showing you an alternative way to give a user the rights they need in order to administer only parts and pieces of Group Policy, but for now we just need to understand that you won't get very far in GPMC without being a member of either Domain Admins or Enterprise Admins.

A quick aside regarding sites. Even though we will be able to delegate some permissions later to non-admin type users, this is not the case with site administration. To be honest, flagging GPOs to be applied at the site level is not a common practice. It's very rare that I find people doing that, because it's a rare use case that would deem it practical. However, should you discover the need to modify Active Directory sites or link GPOs at the site level, you will need to use an account that is a Domain or Enterprise Admin. Again, since most server administrators are already either Domain Admins (though this is becoming less common as security levels increase), or have access to a Domain Admin account on an as-needed basis, that is most often the level of permissions you will have when working within Group Policy, which will allow you to do whatever you need.

主站蜘蛛池模板: 宜城市| 乌鲁木齐县| 广河县| 天长市| 耒阳市| 伊春市| 阳曲县| 玛曲县| 揭西县| 东兴市| 固阳县| 贞丰县| 松潘县| 瑞昌市| 宽甸| 宜都市| 永善县| 剑阁县| 连云港市| 闵行区| 红河县| 开鲁县| 潼关县| 临泉县| 巫溪县| 赞皇县| 高唐县| 布尔津县| 荣成市| 库尔勒市| 台南市| 绥棱县| 宜昌市| 阳山县| 特克斯县| 应用必备| 阿荣旗| 文水县| 辽中县| 鄂托克前旗| 明溪县|